Suggestion: github releases

Adam Bishop Adam.Bishop at jisc.ac.uk
Mon Jul 17 16:26:18 CEST 2017


On 17 Jul 2017, at 15:20, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> Ah. I think it's possible to generate the GPG sig locally after the tarball has been generated (and verified of course...) and then insert it into the release, but that is a bit of a faff I guess.
> 
> It's a shame there isn't some workflow here where the developer could sign a tag, then GH build a tarball of the signed tag, and sign the tarball with some kind of per-project key. Oh well.

The workflow is pretty simple - you either:
* create the release in draft form, download it for signing, then add the detached signature as a second binary.
* create the tarball locally using git archive (which should create a bit-for-bit clone of what GitHub will serve) then sign and upload the detached signature as a second binary.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  




More information about the Freeradius-Devel mailing list