Sign releases and git tags
ypid-geberit opened this issue · comments
This helps with the bootstrapping problem.
Docs for git tags: https://help.github.com/articles/signing-tags-using-gpg/
Example for PIP release: https://github.com/ypid/fdeunlock/blob/bb1728e32657a0824410cacc82371fdc4c31d253/Makefile#L146-L151
Related to: #182 (comment)
Examples:
Closing this to keep the discussion in one issue.
Quoted from #182 (comment):
#184 doesn't help Debian unless they actually check the signature, and nothing tells me they do.
Then let me do that: https://wiki.debian.org/debian/watch#Cryptographic_signature_verification
It's also only one of the distribution channels
Other distros have similar models. But they all depend on the abilities of the upstream project.
and unfortunately people will just add any old gpg key to the apt or yum/dnf keyring that they find these days.
Security minded people will never do that.
Closing this to keep the discussion in one issue.
This might still be a valid issue.