env icon indicating copy to clipboard operation
env copied to clipboard
verified publisher icon caarlos0

Please sign release tarballs and/or release tags

Open ottok opened this issue 1 year ago • 3 comments

Hi!

While working on the Debian packaging for this Go program, I noticed that there are no *.asc signatures published at https://github.com/caarlos0/env/releases nor does the git tags in this project have signatures.

For better supply chain security, please consider signing both tags and release artifacts. Thanks!

ottok avatar Nov 28 '24 09:11 ottok

will work on this when i have some time

caarlos0 avatar Dec 06 '24 02:12 caarlos0

The Debian Wiki provides step-by-step instructions for this: https://wiki.debian.org/Creating%20signed%20GitHub%20releases.

However, the steps on the Wiki page are manual. I suggest automating the process using GitHub Actions, for example, by storing the private key as a GitHub Actions secret.

Juneezee avatar Dec 18 '24 09:12 Juneezee

The step to sign a release in https://wiki.debian.org/Creating%20signed%20GitHub%20releases is intentionally done locally on dev laptop to avoid leaking the private key to GitHub.

ottok avatar Dec 18 '24 18:12 ottok