GPG signatures for source validation
NicoHood
archlinux at nicohood.de
Sat Dec 24 13:58:17 CET 2016
As we all know, today more than ever before, it is crucial to be able to
trust our computing environments. One of the main difficulties that
package maintainers of Linux distributions face, is the difficulty to
verify the authenticity and the integrity of the source code.
The Arch Linux team would appreciate it if you would provide us GPG
signatures in order to verify easily and quickly of your source code
releases.
Overview of the required tasks:
* Create and/or use a 4096-bit RSA keypair for the file signing
* Keep your key secret, use a strong unique passphrase for the key
* Upload the public key to a key server
* Sign every new commit by default
* Sign new tags
* Sign Release tarballs
* Provide https downloads
**Additional Information:**
*
https://github.com/NicoHood/NicoHood.github.io/wiki/How-to-sign-sources-with-GPG-in-under-5-minutes
* https://github.com/NicoHood/gpgithub
* https://help.github.com/categories/gpg/
* https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
* https://www.qubes-os.org/doc/verifying-signatures/
*
https://developers.google.com/web/fundamentals/security/encrypt-in-transit/why-https
Thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://mail.xfce.org/pipermail/xfce/attachments/20161224/10ad8565/attachment.sig>
More information about the Xfce
mailing list