On Thu, Jun 5, 2014 at 4:38 PM, PID0 <p1dz3r0@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Has anyone given any thought to how we might sign the binaries once > they're ready? > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (MingW32) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTkNUsAAoJELgbaWaCeTqDnVQH/ihMO8Mqq40QhNRR0UB+0+v9 > x1KeukTD+Gffy2z4g9xB0wtrU4TLXV6pM7Ebk1xoG8CkO1G7TMI6kfVwNL/fDDMP > gtjK1Teg9XXde5Jsd5AxvRdBAC+QaKitRWVHcercAtRjtJa8YU2IeHgrCbydU/fa > TicNdxWMdeyTQIA1xAX+L1p0yEe+1WwjKffuev4yz9rzozkYJKOHEv48S0BZ+4IE > 6s/oiT8BkU8ufTNlYCrjmL33/+7/XnfDyimf5DRZv2Ek5a6tXhjABAV16qH5NLLq > 7dNVUDG6uWceMQQZaXDEd8+XiW60cZhpTbrdlA8Bhet/ayjr9HrYnomsWs5PZnY= > =MzR+ > -----END PGP SIGNATURE----- > > I've done Windows binary signing before, but I've already forgotten parts of the process. Do they create both the public and private keys, and then send me a copy, meaning that for my $100, I get a code signing key that has already been handed over to the NSA? Or do I get to generate my own key pair, and then let them sign my public key? If I recall correctly, they just sent me the private key. I think signing commits the source in the git repo should be required, and we can sign the source tar-balls (or sha256sums) as well. We'll have to somehow come up with that process... maybe all core devs should sign the sha256 hashes? Surely other projects have had to deal with this... Bill