[geekcrypt] Re: Binary Signing
- From: PID0 <p1dz3r0@xxxxxxxxx>
- To: geekcrypt@xxxxxxxxxxxxx
- Date: Thu, 05 Jun 2014 22:12:44 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We'd likely have to hash the binaries (with SHA512) and then digitally
sign the hashes.
On 05/06/2014 21:51, Bill Cox wrote:
> On Thu, Jun 5, 2014 at 4:38 PM, PID0 <p1dz3r0@xxxxxxxxx> wrote:
>
> Has anyone given any thought to how we might sign the binaries
> once they're ready?
>
>>
>>
> I've done Windows binary signing before, but I've already forgotten
> parts of the process. Do they create both the public and private
> keys, and then send me a copy, meaning that for my $100, I get a
> code signing key that has already been handed over to the NSA? Or
> do I get to generate my own key pair, and then let them sign my
> public key? If I recall correctly, they just sent me the private
> key.
>
> I think signing commits the source in the git repo should be
> required, and we can sign the source tar-balls (or sha256sums) as
> well. We'll have to somehow come up with that process... maybe all
> core devs should sign the sha256 hashes? Surely other projects
> have had to deal with this...
>
> Bill
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTkN1MAAoJELgbaWaCeTqDLnwH/iqfYmTveiwLVgc11atX2Pbz
1Kf/wi5UFje9DdW3PhhLCnuRlh5g6Ouhfn0/ALpGh8S4jgrPa4/4fEboHXF2L4U3
wBemkHWgVRo85McOmhBymuxyiNjmZRm3sftIvUzCmp42Iad5ChAG8HSMET+dmRFQ
/Y8QHObqJhH+dyXCcUgETLlap1pXd+Cp8tmONixA7UdEJ8Lw6hcXH7/9wv4tf26K
z4Hr5IT7654fYt7eurqJPPhProi+nBoWOY4JB8zsU3/rCFg6BeeED8ggytTWNyTy
uWlh2L3DlbiyhiBCm3EgXJKy8V+qkT9JhPu7c/h5q8FA1Rto3LF41WwSZdNHAgM=
=pPO8
-----END PGP SIGNATURE-----
Other related posts:
