Implement & document integrity check procedures for RNP releases

[antonsviridenko]

Description

I've just realized that RNP does not have digital signatures and checksums published with each release. It is a standard and expected thing for every software project, especially security related.

This one can be used as a reference. https://gnupg.org/download/integrity_check.html

Expected Behavior

Each source archive should be accompanied by digital signature published in the same place. Download page should display links to release archives, signature files and checksums (SHA256 or other). Public keys that are used to sign releases should be published somewhere (rnpgpg.org, inside source files, release announcements in mailing lists, etc.

Also it would be nice for release tag commits to be also digitally signed.

Actual Behavior

Now there are no ways to be sure if source archives downloaded from https://github.com/rnpgp/rnp/releases are authentic.

[ronaldtse]

Fully agree @antonsviridenko , do you have time to take this on?

[antonsviridenko]

@ronaldtse now if I understand correctly, source archives are not compressed and uploaded explicitly by you or @ni4, they are generated automaticaly by GitHub, am I right?

[ni4]

@antonsviridenko Yep, those are created automatically once version tag is pushed to the GitHub. On the releases page we can edit tag to fill it up with data, attach files and so on. So possible ways would be to include checksum to the message, and upload signatures for both tar.gz/zip.

[antonsviridenko]

So first we need to generate release signing keys and publish them on a web page. Either someone responsible for releases should do that or everyone on team uses their keys so releases will have multiple signatures.

[ni4]

Closing this as release signing process is already formalized/keys are published.