LuLu Please use a GPG key to sign releases

Please use a GPG key to sign releases

Open jonathancross opened this issue 4 years ago • 1 comments

In order to reduce trust in GitHub and increase reliability of the project / prevent forgeries, please generate an OpenPGP key and use it to sign releases.

For added security, you can also sign git commits so it is clear that you actually made them.

Thanks!

Feb 09 '21 16:02 jonathancross

Here is a gpg signed message specifying the fingerprint of v2.4.1:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The dmg I downloaded from this URL:
https://github.com/objective-see/LuLu/releases/download/v2.4.1/LuLu_2.4.1.dmg

Has this SHA1 fingerprint:
bd544c03c24344b52c5f7389e10611f32972ac91

And the SHA256 fingerprint:
fe2607d874456295154238fb387e2f038b2b9f475d440ded0e495fd90aacc934
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEMsk361Pa9SImG35c2FeN+Op8zxsFAmGU+aUACgkQ2FeN+Op8
zxsmugf/dyhVunqJfSBcMAMLIgCP/JazmCvJwmWqSGmkJ2/IRiakrWj41pMx+Gov
XDZZjmXWlx3CQt1qQVhjkDdLVqOMCNslVO3GnUagNvCa/BA+HHLaQxnMf/XoFO/U
Lui0qRwRVPnb9mErONeoc5JZJOWrRtRajtvZ/C6NCegpKQpo29YS6V5ymgF9SCgO
6fxMBQXMn286YQpcfmA1xL/FI8Et+Ck+GNlgjIkRFS4ee5AvEupcnk6y5dQLVutl
NOg2rh4NOIEmVwmnAYjBLvdpUw8K8UzpA5Y1EQ7+HG9+nxTwfNzYYJPwUR1DANaF
qxXD7II3JUuxpp8J67s/4ApDq8bEVg==
=kAZE
-----END PGP SIGNATURE-----

A signature like this should be provided by @objective-see or @patrickwardle

Nov 17 '21 13:11 jonathancross

LuLu LuLu copied to clipboard

Please use a GPG key to sign releases

LuLu
LuLu copied to clipboard