Re: Code signing
toggle quoted message Show quoted text
For those who don't know me I'm a Release Engineer at the Linux Foundation and am helping the ASWF project get setup. Feel free to direct any CI related questions to me.
I can confirm that signing is very important to many of our projects and we definitely sign both our artifacts (binaries) as well as git tags when we release software for many of our other projects at the Linux Foundation.
Today the signing is done manually via "git tag -s" as well as gpg sign of release artifacts when projects approve a staged release for public release.
We are working on providing some automation in our CI platform to allow projects to have their artifacts signed along with the staging jobs (these jobs prepare releases) but it's not ready just yet.
On Tue, Aug 21, 2018 at 7:31 PM Meadhbh Hamrick <ohmeadhbh@...> wrote:
I bet security requirements are going to be all over the map in this group.