-
Notifications
You must be signed in to change notification settings - Fork 338
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign releases using a PGP key #2182
Comments
Thanks for raising this @mitchellrj , this makes even more sense since gauge no longer signs the binaries. Would you be interested in sending a pull request? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be nice to be able to verify release file signatures with PGP, either through signatures of the file directly or signatures of the checksum file. Particularly in light of the recent issues with codecov.
A common way to achieve this is to include checksum files in your release artifacts, along with a signature of that checksum file. Alternatively each file in the release can be signed individually.
Thank you for your consideration.
The text was updated successfully, but these errors were encountered: