Skip to content

GPG signatures for source validation #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
NicoHood opened this issue May 13, 2017 · 5 comments
Closed

GPG signatures for source validation #39

NicoHood opened this issue May 13, 2017 · 5 comments
Labels
acknowledged feedback

Comments

@NicoHood
Copy link

As we all know, today more than ever before, it is crucial to be able to trust
our computing environments. One of the main difficulties that package
maintainers of Linux distributions face, is the difficulty to verify the
authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG signatures
in order to verify easily and quickly your source code releases.

Overview of the required tasks:

  • Create and/or use a 4096-bit RSA keypair for the file signing.
  • Keep your key secret, use a strong unique passphrase for the key.
  • Upload the public key to a key server and publish the full fingerprint.
  • Sign every new git commit and tag.
  • Create signed compressed (xz --best) release archives
  • Upload a strong message digest (sha512) of the archive
  • Configure https for your download server

GPGit is meant to bring GPG to the masses.
It is not only a shell script that automates the process of creating new signed
git releases with GPG but also comes with this step-by-step readme guide for
learning how to use GPG.

Additional Information:

Thanks in advance.
@Byron
Copy link
Member

Byron commented May 28, 2017

@NicoHood Can you please check to what extend these files match your requirements? I have just used twine upload -s -i <me> dist/* to do produce the signature, and on top of that all my commits are now signed with the same key.

@Byron Byron added the feedback label May 28, 2017
@NicoHood
Copy link
Author

As stated in the other comment, it all works perfectly. Thanks

@NicoHood
Copy link
Author

NicoHood commented Jul 8, 2018

The gpg key got revoked. See gitpython-developers/smmap#36 (comment)

@NicoHood NicoHood reopened this Jul 8, 2018
@Byron
Copy link
Member

Byron commented Jul 15, 2018

Sorry for the late reply! I have uploaded version 2.0.4 just for the purpose of signing it with a valid key of mine.

@NicoHood
Copy link
Author

Thanks. And please do not always switch your gpg keys. You can update the key expire date when its near expiring. Otherwise there is no real security in GPG.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
acknowledged feedback
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Byron @NicoHood