New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
signed releases #1785
Comments
v1.53.0 has .asc files. |
The .asc files uploaded with this release are not valid PGP signatures at all, but instead seem to contain a checksum and file name. So they don't work. |
No, but it can check the integrity of tar balls with sha256sum. This is not exactly what you wanted, but provides similar purpose. |
It's not a similar purpose because the files are hosted on Github. The purpose of signing release artifacts is to verify their authenticity regardless of where they're hosted. I'm sorry, but these .asc files are useless. |
Now asc files contain pgp signatures. I hope I have done it properly. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 7 days. |
Hi. Would it be possible to include a detached PGP signature for the release tarballs? I see git tags are signed, but some tooling only works with static artifacts.
The text was updated successfully, but these errors were encountered: