Release assets should be signed

[jlebon]

Can you provide a detached signature of the binaries when doing releases?

[1player]

Sure, though I don't know how to get started with that. Do you have any pointers?

[1player]

I've looked into this, and I'm not exactly sure what kind of benefit would it provide over just compiling the application yourself if you do not trust the binaries.

Also, were I to set it up, I would use more sane tools like OpenBSD's signify or minisign, than the abomination that is PGP/GPG. Given that I don't know why you need signatures, I'm not even sure if you require any specific format or it would just be a lot of work that is ultimately not very useful.

Again, I'm just ambivalent about the idea, so I'd like to know more about your use case to form a plan of action.

[jlebon]

I'm not familiar with signify or minisign but am willing to learn to use it if it's available in Fedora. That said, if there isn't demand for it, I'm OK just recompiling it myself for now and saving yourself the overhead. :) (But ideally, it'd be nice if either this gets packaged into Fedora or folded into toolbx.)

[1player]

The overhead with minisign is pretty minimal, I'm just not sure what these signatures are supposed to defend against... ultimately I offer binaries to download, so you will still have to trust me, or Github Actions in this case, that they've not been tampered with.

BTW, there is an pending request from your colleague in #10 to adapt the code to be used in toolbx, but the discussion has stalled for the moment.

[jlebon]

As is, one has to trust both you and GitHub (or that it hasn't been compromised). If the binaries are signed, one only has to trust you (which I already do, since I use your code :) ). But again, I'm OK recompiling from tags (though ideally, those would be signed too).