Re: zsh 5.1.1-test-1

[Simon Ruderich <simon@ruderich.org>]

[-- Attachment #1.1: Type: text/plain, Size: 1813 bytes --]

On Sun, Nov 22, 2015 at 03:31:08PM +0000, Peter Stephenson wrote:
> This has been mentioned before and I'm happy to go along with it if
> someone who knows what they're doing wants to set it up / establish
> ground rules.  I'll need to set up a gpg key as it doesn't like my
> existing PGP key.

Hello,

Thanks for considering it.

The guide at [1] has all the necessary information to create a
secure GPG key. The important parts: Put the following in your
~/.gnupg/gpg.conf (or use the version from [2]):

    personal-digest-preferences SHA256
    cert-digest-algo SHA256
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

These config settings are important to prevent gpg from using
SHA-1, which might become insecure in the future.

Then run gpg --gen-key and accept the defaults (or change them as
you see fit; but the key should be >= 2048 bit).

Now you can sign all tarballs with gpg --armor --detach-sign and
tag the commits with git tag -s (add -u keyid if you have
multiple keys).

I attached a small patch which will take care of the signing of
the tarballs.

> (The idea that a tag signed by me is somehow "safer" than anything else
> on the master branch in the git repository is a bit far-fetched, but
> that's a different issue; nothing wrong with using the state of the art
> technology.)

The idea is not safer, but at least attributable to you. Same for
the tarball. It ensures that everybody gets the same, hopefully
trustable, version.

Regards
Simon

[1]: https://help.riseup.net/en/gpg-best-practices
[2]: https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

[-- Attachment #1.2: 0001-Makefile.in-sign-tarballs-with-gpg.patch --]
[-- Type: text/x-diff, Size: 1001 bytes --]

From 42cbfc9e606250e3bf3d8d8930f06793429a925c Mon Sep 17 00:00:00 2001
Message-Id: <42cbfc9e606250e3bf3d8d8930f06793429a925c.1448350522.git.simon@ruderich.org>
From: Simon Ruderich <simon@ruderich.org>
Date: Tue, 24 Nov 2015 08:35:12 +0100
Subject: [PATCH] Makefile.in: sign tarballs with gpg

---
 Makefile.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Makefile.in b/Makefile.in
index cb74e94..dc86264 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -167,6 +167,7 @@ $(DISTNAME).tar.gz: FORCE
 	echo '#define ZSH_PATCHLEVEL "'`cd $(sdir_top) && git describe --tags --long`'"' >$(DISTNAME)/Src/patchlevel.h.release
 	tar cf - $(DISTNAME) | gzip -9 > $@
 	rm -rf $(DISTNAME)
+	gpg --armor --detach-sign $@
 
 targz-doc: $(DISTNAME)-doc.tar.gz
 $(DISTNAME)-doc.tar.gz: FORCE
@@ -174,5 +175,6 @@ $(DISTNAME)-doc.tar.gz: FORCE
 	    $(MAKE) $(MAKEDEFS)
 	tar cf - $(DISTNAME) | gzip -9 > $@
 	rm -rf $(DISTNAME)
+	gpg --armor --detach-sign $@
 
 FORCE:
-- 
2.6.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]