I've seen you sign one of the recent commits using your PGP key, that means you must be using PGP 😛
What do you think about signing releases? Instead of providing hashsums (or in addition, if you want).
PGP signatures will not only help ensuring that downloaded archive is not corrupted, but will also verify authenticity and in general reduce attack vector when your app is being built by other people and distributed via distro packages.
For packaging we'd need a signature for sources tarball (
.tar.gz) that Github automatically provides for you on every release, signatures for other attachments would be appreciated as well 🙂
Here's what I would suggest to do:
- For transparency, put in README your key ID, something like below would be enough (it's my key in the example below):
Releases are signed with the following PGP key: `8053EB88879A68CB4873D32B011FDC52DA839335`
Publish your key to http://keys.gnupg.net/
The sources tarball is reproducible and can be recreated using the following
git archive -o xplr-<version>.tar.gz --format tar.gz --prefix "xplr-<version>/" "<tag>"
So for example, to get a signature you'd run this (mind where
v before version is used and where is not):
git archive -o xplr-0.7.2.tar.gz --format tar.gz --prefix "xplr-0.7.2/" "v0.7.2"
gpg --detach-sign xplr-0.7.2.tar.gz
Let me know if you need any help! 🙂