Sign hand hash release files

[hasufell]

I can't verify the validity and the authorship of the release files currently.

You can do, e.g.:

$ sha256sum --tag * > SHA256SUMS
$ gpg --detach-sign SHA256SUMS

And then upload both SHA256SUMS and SHA256SUMS.sig.

[jneira]

Yeah, it is a must from a security point of view, thanks for pointing it out. Imo, it should be automated in the release github action script

[hasufell]

Yeah, it is a must from a security point of view, thanks for pointing it out. Imo, it should be automated in the release github action script

secure gpg signing cannot be automated

[jneira]

oh, sorry i dont know much about the topic so sure i am missing obvious things: i thought you could ran those commands in the script and upload the result with the binaries. From a quick read it seems you could upload a private key to do it: https://zambrovski.medium.com/foss-ci-cd-with-github-actions-c65c37236c19

In any case we could do it locally for this release: @Ailrun have you done something similar in the past? (i can try to do it in my windows machine though, i suppose)

[hasufell]

From a quick read it seems you could upload a private key to do it:

I advise against that. The point of gpg is that no one except the owner knows about the password (and the private key) and that it identifies a person (and that I can call that person and do a fingerprint verification of their key). Creating those two files could simply be part of the release procedure. It takes maybe 2 minutes. I don't see much value in automating that.

[jneira]

I advise against that. The point of gpg is that no one except the owner knows about the password and that it identifies a person (and that I can call that person and do a fingerprint verification of their key).

I see and (partially?) agree

Creating those two files could simply be part of the release procedure. It takes maybe 2 minutes. I don't see much value in automating that.

Well it is more about the process overhead, it is one thing you dont have to remember or think about if the process works correctly

[hasufell]

it is one thing you dont have to remember

Sure, that's why there could be a release document, outlining all the steps with commands.

[hasufell]

any progress?

[jneira]

Would make sense start only with $ sha256sum --tag * > SHA256SUMS in the ci script?

[hasufell]

I think it only makes sense to have both.

[jneira]

I see, if we add an artifact to release i guess we should have a SHA256SUMS-rev1 and SHA256SUMS-rev1.sig

[hasufell]

I see, if we add an artifact to release i guess we should have a SHA256SUMS-rev1 and SHA256SUMS-rev1.sig

No, you want SHA256SUMS and SHA256SUMS.sig for the entirety of the release assets.