Add detached gpg signature file to allow verification of hashes

[grempe]

If you were to publish a GPG key that is used for code signing and signed that latest version of the hashes file and each binary download file for each release with a detached gnupg signature file it would go a long way to ensure that not only are the bits correct (which the hash already tells us) but that the integrity of the hashes list is unimpeachable as well. This could be very easily scripted on your end when new releases are put out.

Signing the binary for each release tarball individually would be awesome as well.

Here are a couple of example projects that do this:

https://github.com/tianon/gosu/releases
https://github.com/just-containers/s6-overlay/releases

An example usage (in a Dockerfile) would be something like this:

ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-amd64.tar.gz /tmp/s6-overlay-amd64.tar.gz
ADD https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-amd64.tar.gz.sig /tmp/s6-overlay-amd64.tar.gz.sig

RUN tar xvfz /tmp/s6-overlay-amd64.tar.gz -C / && \
  gpg --keyserver pgp.mit.edu --recv-key ${S6_OVERLAY_GPG_KEY} && \
  gpg --verify /tmp/s6-overlay-amd64.tar.gz.sig /tmp/s6-overlay-amd64.tar.gz && \

[ghost]

Subscribe