Could you please provide GPG signatures for each of the .tar.gz releases as
part of your release process? It would be helpful for downstream distributors
like the Fedora Project to quickly verify the integrity of their download if
releases are signed by one of the prominent authors.
Example of Signing
==================
# gpg -a -b -s memcached-1.4.23.tar.gz
This creates a corresponding memcached-1.4.23.tar.gz.asc file. Provide both
the .tar.gz and a signature link for downloads for those who want to verify the
integrity of the tarball.
Ideally the release manager or a prominent developer of the project would be
the one signing the tarballs. If they do not already have a GPG key, it would
be a good time to create one now and announce the key signature to the
community on the mailing list.
Example of Signing Identity
===========================
# gpg --fingerprint 0E604491
pub 2048R/0E604491 2013-04-30
Key fingerprint = 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491
uid Matt Caswell <matt@openssl.org>
uid Matt Caswell <frodo@baggins.org>
sub 2048R/E3C21B70 2013-04-30
This is one of the signers of openssl releases.
Example of Verification
=======================
http://openssl.org/source/
# wget http://openssl.org/source/openssl-1.0.2a.tar.gz
# wget http://openssl.org/source/openssl-1.0.2a.tar.gz.asc
# gpg --verify openssl-1.0.2a.tar.gz.asc
gpg: assuming signed data in `openssl-1.0.2a.tar.gz'
gpg: Signature made Thu 19 Mar 2015 03:31:21 AM HST using RSA key ID 0E604491
gpg: Good signature from "Matt Caswell <matt@openssl.org>"
gpg: aka "Matt Caswell <frodo@baggins.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner
Original issue reported on code.google.com by wtog...@gmail.com on 22 Apr 2015 at 7:18
Original issue reported on code.google.com by
wtog...@gmail.comon 22 Apr 2015 at 7:18