Please PGP/GnuPG sign source tarballs

Issue #69 resolved
Franz Schrober created an issue

Distributions now try to verify upstream tarballs to easier detect manipulation by third parties. One of the steps is to have detached, ascii armored signatures done using the PGP/GnuPG signature key of the software author next to the actual source tarball.

Of course, this is only one check but at least this one can help:

Comments (6)

  1. anatoly techtonik

    You marked this as trivial. Can you describe how it should look like and what is the process? It would be nice if the process will be also Windows-compatible.

  2. Franz Schrober reporter

    Most of the stuff is described in the links. Here is another post about how it is done.

    This cannot be solved by you because you are not the maintainer/release manager and the maintainer/release manager should do the signing.

    What needs to be done:

    • maintainer needs a GPG/PGP signature key (with enough cryptographical strength like RSA-4096)
    • public key part must be uploaded to a key server
    • the gpg key should have an uid with the e-mail address of the maintainer
    • the gpg should also have an encryption key to allow the remote checking as described in the suse documents
    • the release tarballs (hopefully all olds too) should get a detached signature as described in the suse documents or in the last link i've posted
      • gpg --detach-sign --armor PySDL2-0.9.3.tar.gz
    • the signatures (filename + .asc) must be uploaded to the download page next to the release tarballs

    And as extra step the signer of the keys must be reachable using the mail address to make a simple verification that the signature key belongs to the mail address.

  3. Marcus von Appen repo owner

    I won't sign any previous release. I'm fine with doing so for future releases, though one has to bear in mind that signing the source tarballs does not improve security very much.

  4. Franz Schrober reporter
  5. Log in to comment