-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We'd likely have to hash the binaries (with SHA512) and then digitally sign the hashes. On 05/06/2014 21:51, Bill Cox wrote: > On Thu, Jun 5, 2014 at 4:38 PM, PID0 <p1dz3r0@xxxxxxxxx> wrote: > > Has anyone given any thought to how we might sign the binaries > once they're ready? > >> >> > I've done Windows binary signing before, but I've already forgotten > parts of the process. Do they create both the public and private > keys, and then send me a copy, meaning that for my $100, I get a > code signing key that has already been handed over to the NSA? Or > do I get to generate my own key pair, and then let them sign my > public key? If I recall correctly, they just sent me the private > key. > > I think signing commits the source in the git repo should be > required, and we can sign the source tar-balls (or sha256sums) as > well. We'll have to somehow come up with that process... maybe all > core devs should sign the sha256 hashes? Surely other projects > have had to deal with this... > > Bill > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTkN1MAAoJELgbaWaCeTqDLnwH/iqfYmTveiwLVgc11atX2Pbz 1Kf/wi5UFje9DdW3PhhLCnuRlh5g6Ouhfn0/ALpGh8S4jgrPa4/4fEboHXF2L4U3 wBemkHWgVRo85McOmhBymuxyiNjmZRm3sftIvUzCmp42Iad5ChAG8HSMET+dmRFQ /Y8QHObqJhH+dyXCcUgETLlap1pXd+Cp8tmONixA7UdEJ8Lw6hcXH7/9wv4tf26K z4Hr5IT7654fYt7eurqJPPhProi+nBoWOY4JB8zsU3/rCFg6BeeED8ggytTWNyTy uWlh2L3DlbiyhiBCm3EgXJKy8V+qkT9JhPu7c/h5q8FA1Rto3LF41WwSZdNHAgM= =pPO8 -----END PGP SIGNATURE-----