[geekcrypt] Re: Binary Signing

  • From: Bill Cox <waywardgeek@xxxxxxxxx>
  • To: geekcrypt@xxxxxxxxxxxxx
  • Date: Thu, 5 Jun 2014 16:51:23 -0400

On Thu, Jun 5, 2014 at 4:38 PM, PID0 <p1dz3r0@xxxxxxxxx> wrote:

> Hash: SHA1
> Has anyone given any thought to how we might sign the binaries once
> they're ready?
> Version: GnuPG v2.0.22 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> x1KeukTD+Gffy2z4g9xB0wtrU4TLXV6pM7Ebk1xoG8CkO1G7TMI6kfVwNL/fDDMP
> gtjK1Teg9XXde5Jsd5AxvRdBAC+QaKitRWVHcercAtRjtJa8YU2IeHgrCbydU/fa
> TicNdxWMdeyTQIA1xAX+L1p0yEe+1WwjKffuev4yz9rzozkYJKOHEv48S0BZ+4IE
> 6s/oiT8BkU8ufTNlYCrjmL33/+7/XnfDyimf5DRZv2Ek5a6tXhjABAV16qH5NLLq
> 7dNVUDG6uWceMQQZaXDEd8+XiW60cZhpTbrdlA8Bhet/ayjr9HrYnomsWs5PZnY=
> =MzR+
I've done Windows binary signing before, but I've already forgotten parts
of the process.  Do they create both the public and private keys, and then
send me a copy, meaning that for my $100, I get a code signing key that has
already been handed over to the NSA?  Or do I get to generate my own key
pair, and then let them sign my public key?  If I recall correctly, they
just sent me the private key.

I think signing commits the source in the git repo should be required, and
we can sign the source tar-balls (or sha256sums) as well.  We'll have to
somehow come up with that process... maybe all core devs should sign the
sha256 hashes?  Surely other projects have had to deal with this...


Other related posts: