listmonk
listmonk copied to clipboard
knadh
GPG signatures for source validation
As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of GNU/Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code. With GPG signatures it is possible for packagers to verify source code releases quickly and easily.
In order to securely package your software I am kindly requesting GPG signatures for the source tarballs. If you are not yet familiar with secure source code signing I suggest using GPGit which automates the process of secure source code signing and also has a quick start guide on GPG for learning how to use it manually.
Thanks in advance.
Thanks. I'll explore this. Is signing every commit necessary? What about PRs? What about older commits? Wouldn't signing only the version tag be sufficient to establish the authenticity of a release?
The more, the better. Signing the tag and the release tarball ist most important, as this is what packagers use to build a release. Enabling gpg commit signing is easy, so you can simply sign all the commits anyways, as I do.
# For commits
git config --global commit.gpgsign true
# For tags
git tag -s 1.0.0
Cool. I'm familiar with signing commits, but the question was about commits from contributors that'll be unsigned. Maintainers can sign their commits and merge commits, but when there are a number of unsigned contributor commits, it may not be as useful.
Signing tags + releases is definitely valuable.
Yes, we cannot enforce it from contributor. I think you can sign the merge commit itself, if you merge via shell. Otherwise it will be signed with the GitHub gpg key. It can't be perfect, but release are most important.