[geekcrypt] Re: Binary Signing
- From: Bill Cox <waywardgeek@xxxxxxxxx>
- To: geekcrypt@xxxxxxxxxxxxx
- Date: Thu, 5 Jun 2014 16:51:23 -0400
On Thu, Jun 5, 2014 at 4:38 PM, PID0 <p1dz3r0@xxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Has anyone given any thought to how we might sign the binaries once
> they're ready?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBAgAGBQJTkNUsAAoJELgbaWaCeTqDnVQH/ihMO8Mqq40QhNRR0UB+0+v9
> x1KeukTD+Gffy2z4g9xB0wtrU4TLXV6pM7Ebk1xoG8CkO1G7TMI6kfVwNL/fDDMP
> gtjK1Teg9XXde5Jsd5AxvRdBAC+QaKitRWVHcercAtRjtJa8YU2IeHgrCbydU/fa
> TicNdxWMdeyTQIA1xAX+L1p0yEe+1WwjKffuev4yz9rzozkYJKOHEv48S0BZ+4IE
> 6s/oiT8BkU8ufTNlYCrjmL33/+7/XnfDyimf5DRZv2Ek5a6tXhjABAV16qH5NLLq
> 7dNVUDG6uWceMQQZaXDEd8+XiW60cZhpTbrdlA8Bhet/ayjr9HrYnomsWs5PZnY=
> =MzR+
> -----END PGP SIGNATURE-----
>
>
I've done Windows binary signing before, but I've already forgotten parts
of the process. Do they create both the public and private keys, and then
send me a copy, meaning that for my $100, I get a code signing key that has
already been handed over to the NSA? Or do I get to generate my own key
pair, and then let them sign my public key? If I recall correctly, they
just sent me the private key.
I think signing commits the source in the git repo should be required, and
we can sign the source tar-balls (or sha256sums) as well. We'll have to
somehow come up with that process... maybe all core devs should sign the
sha256 hashes? Surely other projects have had to deal with this...
Bill
Other related posts:
