On Sun, Nov 22, 2015 at 03:31:08PM +0000, Peter Stephenson wrote:
> This has been mentioned before and I'm happy to go along with it if
> someone who knows what they're doing wants to set it up / establish
> ground rules.  I'll need to set up a gpg key as it doesn't like my
> existing PGP key.

Hello,

Thanks for considering it.

The guide at [1] has all the necessary information to create a
secure GPG key. The important parts: Put the following in your
~/.gnupg/gpg.conf (or use the version from [2]):

    personal-digest-preferences SHA256
    cert-digest-algo SHA256
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

These config settings are important to prevent gpg from using
SHA-1, which might become insecure in the future.

Then run gpg --gen-key and accept the defaults (or change them as
you see fit; but the key should be >= 2048 bit).

Now you can sign all tarballs with gpg --armor --detach-sign and
tag the commits with git tag -s (add -u keyid if you have
multiple keys).

I attached a small patch which will take care of the signing of
the tarballs.

> (The idea that a tag signed by me is somehow "safer" than anything else
> on the master branch in the git repository is a bit far-fetched, but
> that's a different issue; nothing wrong with using the state of the art
> technology.)

The idea is not safer, but at least attributable to you. Same for
the tarball. It ensures that everybody gets the same, hopefully
trustable, version.

Regards
Simon

[1]: https://help.riseup.net/en/gpg-best-practices
[2]: https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9