Issue 405 in memcached: GPG signature for tar.gz releases

[memcached]

Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 405 by wtog...@gmail.com: GPG signature for tar.gz releases
https://code.google.com/p/memcached/issues/detail?id=405

Could you please provide GPG signatures for each of the .tar.gz releases as  
part of your release process?  It would be helpful for downstream  
distributors like the Fedora Project to quickly verify the integrity of  
their download if releases are signed by one of the prominent authors.

Example of Signing
==================
# gpg -a -b -s memcached-1.4.23.tar.gz

This creates a corresponding memcached-1.4.23.tar.gz.asc file.  Provide  
both the .tar.gz and a signature link for downloads for those who want to  
verify the integrity of the tarball.

Ideally the release manager or a prominent developer of the project would  
be the one signing the tarballs.  If they do not already have a GPG key, it  
would be a good time to create one now and announce the key signature to  
the community on the mailing list.

Example of Signing Identity
===========================
# gpg --fingerprint 0E604491
pub   2048R/0E604491 2013-04-30
      Key fingerprint = 8657 ABB2 60F0 56B1 E519  0839 D9C4 D26D 0E60 4491
uid                  Matt Caswell <m...@openssl.org>
uid                  Matt Caswell <fr...@baggins.org>
sub   2048R/E3C21B70 2013-04-30

This is one of the signers of openssl releases.

Example of Verification
=======================
http://openssl.org/source/
# wget http://openssl.org/source/openssl-1.0.2a.tar.gz
# wget http://openssl.org/source/openssl-1.0.2a.tar.gz.asc
# gpg --verify openssl-1.0.2a.tar.gz.asc
gpg: assuming signed data in `openssl-1.0.2a.tar.gz'
gpg: Signature made Thu 19 Mar 2015 03:31:21 AM HST using RSA key ID  
0E604491
gpg: Good signature from "Matt Caswell <m...@openssl.org>"
gpg:                 aka "Matt Caswell <fr...@baggins.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner


--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--

--- 
You received this message because you are subscribed to the Google Groups "memcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to memcached+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.