scala-dist icon indicating copy to clipboard operation
scala-dist copied to clipboard
verified publisher icon scala

distribution packages should be GPG signed

Open SethTisue opened this issue 7 years ago • 4 comments

as suggested by @jarrodu at https://github.com/scala/scala-lang/issues/463

SethTisue avatar May 08 '18 09:05 SethTisue

Good timing, I would really like to see this.

FYI, even though you decided "not to do checksums" and just do gpg, the way the process usually works is that the checksum is stored in a file, and then a signature is provided for that file. See the Ubuntu releases for an example. (Don't copy their lack of https, however :)

Generating the checksums is easy (sha256sum *.deb > checksums.txt), the hard part will be determining the security practices for the signing key. You might look into a HW solution like Yubikey. I have not used this for code signing but I think it would work well. There are numerous guides, here's a simple and straight-forward one: https://eclipsesource.com/blogs/2016/11/25/yubikey-code-signing-with-a-smart-card/

Thanks, Evan

evancox10 avatar May 13 '18 20:05 evancox10

@evancox10 The jars are already signed when they're published to Maven Central (see 2.12.6 for example), so I assume there's already a key that can easily be used for this

NthPortal avatar May 13 '18 21:05 NthPortal

@hamzaremmal since you're looking at related work for Scala 3, just FYI that this ticket exists and never attracted much attention :shrug:

SethTisue avatar Jul 17 '24 14:07 SethTisue

note that https://scala-lang.org/security/ exists now (since https://github.com/scala/scala-lang/pull/1661), so we now have a central place where we can put information about this sort of thing

SethTisue avatar Jul 17 '24 14:07 SethTisue