trezor-agent icon indicating copy to clipboard operation
trezor-agent copied to clipboard
verified publisher icon romanz

No releases?

Open Midar opened this issue 1 year ago • 7 comments

The README points to https://github.com/romanz/trezor-agent/blob/master/releases, but there are no releases. Is this intentional?

There seem to be releases on pypi, but those are not signed, which seems a bit problematic (and ironic!), given the nature of this project.

Midar avatar Sep 03 '24 20:09 Midar

Good catch, thanks!

romanz avatar Sep 04 '24 17:09 romanz

I will update the docs, and prepare a new signed PyPI release :)

romanz avatar Sep 04 '24 17:09 romanz

Unfortunately, it seems the PyPI doesn't support PGP signatures :( https://blog.pypi.org/posts/2023-05-23-removing-pgp/

romanz avatar Sep 05 '24 18:09 romanz

I will make sure the git tags are signed using https://romanzey.de/pgp.txt - so you should be able to verify them using:

git tag -v v0.15.0 
object 868975fb0cf2941bad51d283f64e1661ace4c8f4
type commit
tag v0.15.0
tagger Roman Zeyde <[email protected]> 1725560687 +0300

Bump version: 0.14.8 → 0.15.0
gpg: Signature made Thu 05 Sep 2024 09:24:47 PM IDT
gpg:                using ECDSA key 15C8C3574AE4F1E25F3F35C587CAE5FA46917CBB
gpg:                issuer "[email protected]"
gpg: Good signature from "Roman Zeyde <[email protected]>" [ultimate]
gpg:                 aka "Roman Zeyde <[email protected]>" [ultimate]

romanz avatar Sep 05 '24 18:09 romanz

Maybe you could add signed tarballs to GitHub? That makes it much easier for distros to consume it.

Midar avatar Sep 05 '24 21:09 Midar

Would https://github.com/romanz/trezor-agent/releases/tag/v0.15.0 be OK?

romanz avatar Sep 06 '24 11:09 romanz

That looks good, but is only libagent?

Midar avatar Sep 07 '24 10:09 Midar