Skip to content

Please sign your releases #1

New issue
New issue
Open
Open
Please sign your releases#1
@nirgal

Description

@nirgal
nirgal
opened on Oct 20, 2019

It looks like you are using GPG since last tags where signed.

It would be great if you could sign your releases, so we don't have to trust Microsoft not to hack into the downloads.

  1. You could add "--sign" to your git tag command, even if you have it in your defaults somewhere else.

  2. Generate detached signature of your archives. One example is https://www.apache.org/dist/httpd/

If you have several keys and you need to choose one, add a line like: GPGOPT="--default-key 2CF55E8890175AAA5332A60587435B0A61E3EB49"
Then at the end of the script
gpg $GPGOPT --detach-sign phpPgAdmin-$2.tar.bz2
gpg $GPGOPT --detach-sign phpPgAdmin-$2.tar.gz
gpg $GPGOPT --detach-sign phpPgAdmin-$2.zip
(by the way, the modern encryption algorithm is xz)

  1. Publish somewhere the list of keys that can be trusted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions