Hi. I have created a feature request about signing with minisign https://github.com/haproxy/haproxy/issues/198
Event this topic was discussed on the list ~07.2018 I think we can start a new discussion with the tool minisign which is easier to handle then gpg. https://www.mail-archive.com/[email protected]/msg30836.html The arguments in the past are still valid but the difference is that the tool makes the setup and the signing much easier, AFAIK. The Issues about the private key for signing can be handled in that way that the key is only valid for signing the package and the usage is straightforward. What I have in mind. 1. Step create key minisign -G -s ~/.haproxy-signing/haproxy-source.key -p ~/.haproxy-signing/haproxy-source.pub 2. Step sign package echo ${SIG_PASS}|minisign -Sm haproxy-$NEW.tar.gz -s ~/.haproxy-signing/haproxy-source.key -x haproxy-$NEW.tar.gz.minisig 3. Step verify tar.gz minisign -Vm haproxy-$NEW.tar.gz -P RWRdvBnvjOVnRqqLYt9FJ3fpUqTVzMaUPcSJ6E2WYotHGMbpqh0dzMwG Opinions? Best regards Aleks
