From: Simon Ruderich <simon@ruderich.org>
To: zsh-workers@zsh.org
Subject: Re: zsh 5.1.1-test-1
Date: Tue, 24 Nov 2015 08:41:19 +0100 [thread overview]
Message-ID: <20151124074119.GA28495@ruderich.org> (raw)
In-Reply-To: <20151122153108.6054abfc@ntlworld.com>
[-- Attachment #1.1: Type: text/plain, Size: 1813 bytes --]
On Sun, Nov 22, 2015 at 03:31:08PM +0000, Peter Stephenson wrote:
> This has been mentioned before and I'm happy to go along with it if
> someone who knows what they're doing wants to set it up / establish
> ground rules. I'll need to set up a gpg key as it doesn't like my
> existing PGP key.
Hello,
Thanks for considering it.
The guide at [1] has all the necessary information to create a
secure GPG key. The important parts: Put the following in your
~/.gnupg/gpg.conf (or use the version from [2]):
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
These config settings are important to prevent gpg from using
SHA-1, which might become insecure in the future.
Then run gpg --gen-key and accept the defaults (or change them as
you see fit; but the key should be >= 2048 bit).
Now you can sign all tarballs with gpg --armor --detach-sign and
tag the commits with git tag -s (add -u keyid if you have
multiple keys).
I attached a small patch which will take care of the signing of
the tarballs.
> (The idea that a tag signed by me is somehow "safer" than anything else
> on the master branch in the git repository is a bit far-fetched, but
> that's a different issue; nothing wrong with using the state of the art
> technology.)
The idea is not safer, but at least attributable to you. Same for
the tarball. It ensures that everybody gets the same, hopefully
trustable, version.
Regards
Simon
[1]: https://help.riseup.net/en/gpg-best-practices
[2]: https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
[-- Attachment #1.2: 0001-Makefile.in-sign-tarballs-with-gpg.patch --]
[-- Type: text/x-diff, Size: 1001 bytes --]
From 42cbfc9e606250e3bf3d8d8930f06793429a925c Mon Sep 17 00:00:00 2001
Message-Id: <42cbfc9e606250e3bf3d8d8930f06793429a925c.1448350522.git.simon@ruderich.org>
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 24 Nov 2015 08:35:12 +0100
Subject: [PATCH] Makefile.in: sign tarballs with gpg
---
Makefile.in | 2 ++
1 file changed, 2 insertions(+)
diff --git a/Makefile.in b/Makefile.in
index cb74e94..dc86264 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -167,6 +167,7 @@ $(DISTNAME).tar.gz: FORCE
echo '#define ZSH_PATCHLEVEL "'`cd $(sdir_top) && git describe --tags --long`'"' >$(DISTNAME)/Src/patchlevel.h.release
tar cf - $(DISTNAME) | gzip -9 > $@
rm -rf $(DISTNAME)
+ gpg --armor --detach-sign $@
targz-doc: $(DISTNAME)-doc.tar.gz
$(DISTNAME)-doc.tar.gz: FORCE
@@ -174,5 +175,6 @@ $(DISTNAME)-doc.tar.gz: FORCE
$(MAKE) $(MAKEDEFS)
tar cf - $(DISTNAME) | gzip -9 > $@
rm -rf $(DISTNAME)
+ gpg --armor --detach-sign $@
FORCE:
--
2.6.2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2015-11-24 7:41 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-21 18:35 Peter Stephenson
2015-11-21 18:54 ` Pascal Wittmann
2015-11-21 19:09 ` Simon Ruderich
2015-11-21 22:25 ` Bart Schaefer
2015-11-22 14:31 ` Christian Heinrich
2015-11-22 15:31 ` Peter Stephenson
2015-11-24 7:41 ` Simon Ruderich [this message]
2015-11-21 23:01 ` Test/V01private.ztst skipped (was: zsh 5.1.1-test-1) Daniel Shahaf
2015-11-22 1:09 ` Bart Schaefer
2015-11-25 1:44 ` Daniel Shahaf
2015-11-22 1:14 ` Bart Schaefer
2015-11-22 7:51 ` Bart Schaefer
2015-11-22 10:54 ` zsh 5.1.1-test-1 Sebastian Gniazdowski
2015-11-22 11:48 ` Manuel Presnitz
2015-11-22 12:23 ` Mikael Magnusson
2015-11-22 16:09 ` Peter Stephenson
2015-11-22 16:52 ` Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151124074119.GA28495@ruderich.org \
--to=simon@ruderich.org \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).