Any reason why tarball releases are not cryptographically signed?

[yuv]

I have not updated my little local instance since the migration from Sourceforge to Github and I wonder: why are we supposed to simply trust the released tarballs on Github, as if Github is not hackable? back in the days,

between

$ wget -O postfixadmin.tgz https://github.com/postfixadmin/postfixadmin/archive/postfixadmin-3.3.13.tar.gz

and

$ tar -zxvf postfixadmin.tgz
$ mv postfixadmin-postfixadmin-3.3 postfixadmin

one would get the publishing developer's public key and verify the signature:

$ wget https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-3.2.2/postfixadmin-3.2.2.tar.gz.asc
$ gpg --keyserver pgp.mit.edu --recv-keys 63C82F1C
$ gpg --verify postfixadmin-3.2.2.tar.gz.asc postfixadmin-3.2.2.tar.gz

skipping on this looks like a regression to me?

[DavidGoodwin]

Hi - it's mostly laziness. The SourceForge release process was a bit clunky with me making a .deb and .tar.gz and then emailing that to cboltz who did something with RPM files, and then somehow that all magically got on sourceforge ....

Github is a lot easier in that respect (push a tag, go to create a new release and that's it).

Anyway, it is possible to attach a gpg signature file etc to the github release - which would do what I think you're asking. I suspect I'll need to swot up on how to do gpg signing again!