On 3/15/26 09:55, Daniil Gentili wrote:
I worked on an automated release workflow[^1] for php-src a few years
ago, but after discussions with others from various major project
communities (including Apache, Linux, etc.), I realized the solution
wasn't workable for one main reason:
An automated workflow cannot sign builds and still be considered secure.
Builds must be signed by a human on the machine where the build took
place. Automating the signatures in the cloud significantly reduces
trust and greatly increases the likelihood of a bad actor gaining access
to sneak things into the build (e.g., through compromised GitHub
Actions, etc.).
I strongly disagree.
I have way more trust in an automatic build environment with reproducible
(key word here) builds than in a (potentially corruptible) human that
pinkie swears no changes were made to an autogenerated configure contained
in released tarballs.
That's why the builds are signed, and the keys used to sign the builds
are also signed by other, trusted parties. If the human who builds it
introduces any changes, we can trace it directly to them because they
signed that build. If their key was compromised, they revoke the key,
and the build's signature now shows as valid but using a revoked key, so
others know not to trust it.
Cheers,
Ben
