PGP-sign your releases about safe-wallet-web HOT 4 CLOSED

based on your edit I presume you understand what I meant, though your language makes me unsure. in any case, here's the explanation.

what Github provides you with is not PGP signing in the proper sense. the private key of that key pair belongs to Github:

$ gpg --keyserver pgp.mit.edu --recv-key 4AEE18F83AFDEB23
...
gpg: key 4AEE18F83AFDEB23: public key "GitHub (web-flow commit signing) [email protected]" imported

you are outsourcing the authenticity proving to the same third party that we download the releases from, so not only is this insufficient, it's also redundant, apart from DNS-hijacking and domain name takeover scenarios.

what you wanna do (short version) is 1) have each of your release managing devs generate a PGP key pair that they use solely for signing releases (can be done with a Trezor too, much safer), 2) upload the public keys to PGP key servers, your website and your Github, 3) publish the key fingerprints on many diverse channels (website, Github, ENS, Twitter, write on your hand and read it out in a video, T-shirts, conference slides), 4) have each of these devs sign each release, and 5) upload the signatures together with the binaries (you can put all signatures in a single file like Electrum devs do).

long versions here and here.

from safe-wallet-web.

Cool, thanks for breaking it down.

I've already created a GPG key pair and configured git to use it. Still need to do steps 3, 4 and 5.

Looks like uploading the signature and code archives would have to be a manual process.

from safe-wallet-web.

indeed, since a key needs to be in the sole physical ownership of each signing party, it is an additional manual process. (thanks for linking to that Debian Wiki entry, it does a much better job at explaining than my "long version" links.)

from safe-wallet-web.

Doesn't GitHub already sign them?

We'll make sure to also sign direct commits with individual GPG signatures. Thanks for flagging this!

from safe-wallet-web.