Sign releases and git tags

[ypid-geberit]

This helps with the bootstrapping problem.

Docs for git tags: https://help.github.com/articles/signing-tags-using-gpg/
Example for PIP release: https://github.com/ypid/fdeunlock/blob/bb1728e32657a0824410cacc82371fdc4c31d253/Makefile#L146-L151
Related to: #182 (comment)

Examples:

• https://github.com/ypid/fdeunlock
• Check signatures/checksums to ensure authenticity asdf-vm/asdf-nodejs#25
• Sign Ansible releases ansible/ansible#16871

[seveas]

Closing this to keep the discussion in one issue.

[ypid-geberit]

Quoted from #182 (comment):

#184 doesn't help Debian unless they actually check the signature, and nothing tells me they do.

Then let me do that: https://wiki.debian.org/debian/watch#Cryptographic_signature_verification

It's also only one of the distribution channels

Other distros have similar models. But they all depend on the abilities of the upstream project.

and unfortunately people will just add any old gpg key to the apt or yum/dnf keyring that they find these days.

Security minded people will never do that.

Closing this to keep the discussion in one issue.

This might still be a valid issue.