-
-
Notifications
You must be signed in to change notification settings - Fork 290
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Signature tarball #209
Comments
Tags are signed, so if you want verified sources I suggest you check out the repo. It'd be neat if GitHub would sign the tarballs they provide, but it looks like they don't. I'm not planning to publish my own tarballs. Does that work for you? |
Hi, On Debian packaging, build "robots" get tarball signed and verify signature. There are a guide here: Thanks. |
I think if you want to 'verify whether what they received matches the same tarball you have released' I'd recommend you check out the tag from git and verify the signature on the tag, rather than getting the tarball. Signing both the tag and the tarball just provides opportunity for the two to get out of sync... |
Thanks Raboof, for my particular use it's ok, works fine. I don't know if using this method is possible for Debian "robots" to do the same. Did you have any difficulty doing something like that article? Thanks for your work. []'s |
Hi,
should you sign tarball of 0.8.6 release.
Thanks.
The text was updated successfully, but these errors were encountered: