Skip to content

release: Sign release with GPG #1203

Description

@alexvong243f

I think I can do it. Right now I'm already signing all my commits, so basically it takes no extra effort to sign the releases (as co-maintainer) using the same key.

Since I don't use PGP's web of trust, the authentication scheme for my key will be TOFU (trust on 1st use). What it means is that during the 1st verification, users will download my key from the internet, (blindly) trust it to be authentic and use it to verify the release. On subsequent verifications, users will use the key downloaded previously to verify new releases. This way we only need to take the risk during the 1st verification. If nothing goes wrong, subsequent verifications will be secure.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions