Detach-sign all release files #588
Comments
|
Are you talking about detached signature files here or key trust? Or somehow both? We've been making detached signatures since nodejs/node#9071, although we haven't updated the docs to demonstrate how to use this as we've been waiting for all release lines to be updated with the new sig style, tracking in nodejs/node#6821. Since it's been in place for a while now we should probably go ahead and update the docs to tell how to verify with the detached signatures instead of the inline signatures. |
|
... catching up on IRC ... are you perhaps talking about detached signatures for each file in the releases? So ~ double the number of files in the release directories than we have now, an .asc for each one? |
|
It's somehow both I guess. I just noticed that the releases are done by different people and signed with the personal keys - if there's a release signing key that trusts those personal keys, that's great. A small set of keys to expect would work too, decentralizes the trust a little better Arch does it. it's mostly that it can be a little hard to automate the checks if files are not signed individually. If I had a So yes, double the number of files (-2 because don't resign the shasums, obviously), seems to be quite common actually - if that's too much clutter, well, shame. |
|
Closing due to long period of inactivity. Feel free to re-open if this is a thing. I'm just trying to close stuff that has been ignored for sufficiently long that it seems likely it's not something we're going to get to. |
Related: #586
It'd be incredibly helpful for automated builds and distros that don't have their own packages with files attached (Gentoo/Arch's AUR/NixOS) if all files in a release could be detach-signed with GPG by a key with a common trustee.
Could also make the packaging flow much nicer/less prone to not checking signatures and hashes for other distros and users in general.
The text was updated successfully, but these errors were encountered: