Sign hand hash release files #1438
Comments
jneira
added
CI
|
Yeah, it is a must from a security point of view, thanks for pointing it out. Imo, it should be automated in the release github action script |
secure gpg signing cannot be automated |
|
oh, sorry i dont know much about the topic so sure i am missing obvious things: i thought you could ran those commands in the script and upload the result with the binaries. From a quick read it seems you could upload a private key to do it: https://zambrovski.medium.com/foss-ci-cd-with-github-actions-c65c37236c19 In any case we could do it locally for this release: @Ailrun have you done something similar in the past? (i can try to do it in my windows machine though, i suppose) |
I advise against that. The point of gpg is that no one except the owner knows about the password (and the private key) and that it identifies a person (and that I can call that person and do a fingerprint verification of their key). Creating those two files could simply be part of the release procedure. It takes maybe 2 minutes. I don't see much value in automating that. |
I see and (partially?) agree
Well it is more about the process overhead, it is one thing you dont have to remember or think about if the process works correctly |
Sure, that's why there could be a release document, outlining all the steps with commands. |
|
any progress? |
|
Would make sense start only with |
|
I think it only makes sense to have both. |
|
I see, if we add an artifact to release i guess we should have a SHA256SUMS-rev1 and SHA256SUMS-rev1.sig |
No, you want SHA256SUMS and SHA256SUMS.sig for the entirety of the release assets. |
jneira
added
type: enhancement
|
I think we did this? |
I can't verify the validity and the authorship of the release files currently.
You can do, e.g.:
And then upload both
SHA256SUMSandSHA256SUMS.sig.The text was updated successfully, but these errors were encountered: