Re: signed tarballs
On Thu, Apr 6, 2017 at 7:31 PM, Christian Rebischke
<Chris.Rebischke(a)archlinux.org> wrote:
Hello,
I am the maintainer of 'audit' in the official Arch Linux Repositories.
Is there a reason why you don't provide a signature file for the
releases nor a checksum or am I just stupid and can't find it on your
website: https://people.redhat.com/sgrubb/audit/ ?
Steve seems to be posting audit userspace releases both on his Red Hat
people page and on GitHub; I'm not sure which he considers to be the
"authoritative" release, he'll have to answer that.
https://github.com/linux-audit/audit-userspace/releases
As far as checksum'd and signed releases, someone from the Debian camp
recently requested detached signatures for libseccomp and provided the
documentation below (it's a short and well done doc). While
libseccomp had been signing releases for years, we were using a
combined (?) approach, it was relatively easy to add the detached
signature.
https://wiki.debian.org/Creating%20signed%20GitHub%20releases
In case anyone is interested, here is an example of what we now
provide for a libseccomp release:
https://github.com/seccomp/libseccomp/releases/tag/v2.3.2
... and the libseccomp release process is documented here:
https://github.com/seccomp/libseccomp/blob/master/RELEASE_PROCESS.md
--
paul moore
www.paul-moore.com