musl-fts
musl-fts copied to clipboard
Detached signature for release source code tarballs
Thanks for developing this useful library. Would it be possible to include a detached signature to authenticate the release tarballs?
While simply signing git release tags or even commits would be a step in the right direction, signing the actual released artifacts would be a huge help to users concerned about code authenticity.
It's not foolproof, but if the public key is published to a keyserver like https://keyserver.ubuntu.com/ in addition to someplace independent (like a developers website or maybe even somewhere here on github), then it can be used to provide a greater degree of confidence.
It looks like it should be a pretty straightforward process and would be much appreciated.