GPG signatures for source validation

[NicoHood]

As we all know, today more than ever before, it is crucial to be able to trust our computing environments. One of the main difficulties that package maintainers of Linux distributions face, is the difficulty to verify the authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG signatures in order to verify easily and quickly of your source code releases.

Overview of the required tasks:

• [ ] Please create and/or use a 4096-bit RSA keypair for the file signing
• The key may be used for email encryption too
• Keep your key secret, use a strong unique passphrase for the key
• [ ] Upload the public key to a key server
• [ ] Sign every new commit by default
• [ ] Sign new tags
• Verify the Github Release tarball download against your local source
• [ ] Sign Github Release tarballs

Additional Information:

• https://help.github.com/categories/gpg/
• https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
• https://www.qubes-os.org/doc/verifying-signatures/
• https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https

Thanks.

[raoulh]

Ok, I will do that when I have time

[raoulh]

@NicoHood It seems you are working for packaging Moolticute in ArchLinux, so please don't forget to also package the side projects https://github.com/raoulh/moolticute_ssh-agent and https://github.com/raoulh/moolticute-cli as separated packages or directly included in the moolticute package. On windows and macos those two will be included into the packages directly. Thanks

[NicoHood]

Some updates: I've developed a script to easily sign the releases very fast: https://github.com/NicoHood/gpgit

Someone also wanted to release moolticute on AUR (as i had no time to check yet). I will try to check the PKGBUILD and bring it to [community] if it gets popular enough. The move to [community] requires GPG signatures (my personal rule though).

[bobsaintcool]

Hi,

I will also package both moolticute_ssh-agent and moolticute-cli (as moolticute) for AUR. I will probably come with this next week.

[NicoHood]

The udev rule repo now has gpg signatures. It would be nice to have signatures for moolticute as well. https://github.com/mooltipass/mooltipass-udev/releases

[bobsaintcool]

Some side notes if the wish to use GPG come up:

https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md https://github.com/lfit/itpol/blob/master/kernel-developer-pgp-guide.md