signed releases #1785
Labels
Comments
|
v1.53.0 has .asc files. |
|
The .asc files uploaded with this release are not valid PGP signatures at all, but instead seem to contain a checksum and file name. So they don't work. |
|
No, but it can check the integrity of tar balls with sha256sum. This is not exactly what you wanted, but provides similar purpose. |
|
It's not a similar purpose because the files are hosted on Github. The purpose of signing release artifacts is to verify their authenticity regardless of where they're hosted. I'm sorry, but these .asc files are useless. |
|
Now asc files contain pgp signatures. I hope I have done it properly. |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi. Would it be possible to include a detached PGP signature for the release tarballs? I see git tags are signed, but some tooling only works with static artifacts.
The text was updated successfully, but these errors were encountered: