Re: Gnome Flatpak build system, descriptions and questions


On Fri, Aug 26, 2016 at 11:21:05AM -0500, Michael Catanzaro wrote:
On Fri, 2016-08-26 at 11:48 -0400, Shaun McCance wrote:
IIRC, won't let you push an unsigned tag.

I've been doing it for a while, so it most certainly does! I don't see
value in signing our tags as (a) clearly nobody is checking the
signatures, and (b) we don't currently have any centralized registry of
trusted keys, so it's not possible to know which signatures to trust

For what it's worth, if all the tags are signed with the same GPG key,
that's imo better than no signature at all. You could also add a line to
your release email saying that the tag(/the release tarball) have been
signed with the GPG key with fingerprint xxx. Even if your key is not in
a centralized trust registry, this makes it harder to mess with the tags
after the fact for someone who don't have access to your key.


Attachment: signature.asc
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]