Skip to content

GPG signatures for source validation #2

Open
@NicoHood

Description

@NicoHood

As we all know, today more than ever before, it is crucial to be able to trust
our computing environments. One of the main difficulties that package
maintainers of Linux distributions face, is the difficulty to verify the
authenticity and the integrity of the source code.

The Arch Linux team would appreciate it if you would provide us GPG signatures
in order to verify easily and quickly your source code releases.

Overview of the required tasks:

  • Create and/or use a 4096-bit RSA keypair for the file signing.
  • Keep your key secret, use a strong unique passphrase for the key.
  • Upload the public key to a key server and publish the full fingerprint.
  • Sign every new git commit and tag.
  • Create signed compressed (xz --best) release archives
  • Upload a strong message digest (sha512) of the archive
  • Configure https for your download server

GPGit is meant to bring GPG to the masses.
It is not only a shell script that automates the process of creating new signed
git releases with GPG but also comes with this step-by-step readme guide for
learning how to use GPG.

This issue will be tracked in the
GPGit Software Sources List.

Additional Information:

Thanks in advance.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions