Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Add signrel command for sigining arc release assets #1426

Merged
merged 2 commits into from
May 15, 2022
Merged

Conversation

mumoshu
Copy link
Collaborator

@mumoshu mumoshu commented May 10, 2022

I used this command to sign assets for the recent releases to comply with the recommendation of https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#signed-releases

It's on my TODO to upload the gpg public key to a well-known place other than github releases(any recommendation? Just upload to github so that it is available at https://api.github.com/users/mumoshu/gpg_keys although I don't use that public key for signing commits?), and provide instructions to use that key to verify release assets. Addressed. Please see the updated hack/signrel/README.md

Ref #1298

@mumoshu mumoshu requested a review from toast-gear as a code owner May 10, 2022 11:49
@mumoshu mumoshu added this to the v0.24.0 milestone May 11, 2022
@mumoshu mumoshu merged commit bdbcf66 into master May 15, 2022
@mumoshu mumoshu deleted the add-signrel branch May 15, 2022 23:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant