Cryptographic signed commits and releases

[jonassmedegaard]

It would be great if there were electronic signatures (OpenPGP/etc)
of all git commits and tags and any zip files or tarballs you release,
so that distributors and users can verify the source code came from authors of this project
and wasn't modified by github or network attackers.

https://mikegerwitz.com/papers/git-horror-story
https://github.com/blog/2144-gpg-signature-verification
https://wiki.debian.org/Creating%20signed%20GitHub%20releases
https://wiki.debian.org/debian/watch#Cryptographic_signature_verification

[thisisG]

Will discuss! Thanks for the report!

[jonassmedegaard]

I have wanted to suggest this for some time, but lacked references.

For the record, I stole most of the text from this email post by fellow Debian developer Paul Wise:
http://lists.alioth.debian.org/pipermail/pkg-fonts-devel/2017-March/019303.html

[pabuhler]

@jonassmedegaard, for the next release (2.2) we will try to create a signed release based on the steps in https://wiki.debian.org/Creating%20signed%20GitHub%20releases.
The key id that will be used, at least initially is EF76B4CDB2A6BF541985C48CE70913DF61445490, available from pool.sks-keyservers.net . I just wanted to inform you now in case you have some input?

[jonassmedegaard]

Quoting Pascal Bühler (2017-10-27 12:29:05)

@jonassmedegaard, for the next release (2.2) we will try to create a signed release based on the steps in https://wiki.debian.org/Creating%20signed%20GitHub%20releases.

Awesome!

The key id that will be used, at least initially is EF76B4CDB2A6BF541985C48CE70913DF61445490, available from pool.sks-keyservers.net . I just wanted to inform you now in case you have some input?

I am new to release signing myself, so cannot spot flaws in the procedures ahead of time. Suggestion: Make a prerelease and sign that as well. I'd be happy to package that (for Debian experimental) with signature check enabled, so that when you do the final release we check that the signature of the previous (pre)release matches that of the final one. In any case, if signing is flawed then simply correct it for next release :-) - Jonas

…

-- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private