Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan: > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote: > > - Tarballs should only be generated in a reproducible manner using > > scripts. Ideally by the CI only. > > - We should start to sign tarballs in the CI. > > I disagree. I want my tarball to be signed with my GPG key stored in my > Yubiky and not by a generic KDE key. It should be a proof that I as a > maintainer of a project did the release and not someone else. Same with the > upload to download.kde.org, while this adds some overhead in the process, I > think it is important that KDE Sysadmins are the one who move the tarball > to their final location and do some minimal check (checksum match, it's not > a random person doing the release, ...).
Signing with a KDE key could have some benefits, though. It's far easier for distros (or users) to check KDE software against a single, well known key. On could mitigate the downside that you mentioned by having the script check the tag signature against a keyring of trusted keys. Cheers, Johannes
signature.asc
Description: This is a digitally signed message part.