Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh 5.1.1-test-1

X-seq: zsh-workers 37209
From: Simon Ruderich <simon@xxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: zsh 5.1.1-test-1
Date: Tue, 24 Nov 2015 08:41:19 +0100
In-reply-to: <20151122153108.6054abfc@ntlworld.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20151121183514.527eccf6@ntlworld.com> <20151121190908.GA1249@ruderich.org> <20151122153108.6054abfc@ntlworld.com>

On Sun, Nov 22, 2015 at 03:31:08PM +0000, Peter Stephenson wrote:
> This has been mentioned before and I'm happy to go along with it if
> someone who knows what they're doing wants to set it up / establish
> ground rules.  I'll need to set up a gpg key as it doesn't like my
> existing PGP key.

Hello,

Thanks for considering it.

The guide at [1] has all the necessary information to create a
secure GPG key. The important parts: Put the following in your
~/.gnupg/gpg.conf (or use the version from [2]):

    personal-digest-preferences SHA256
    cert-digest-algo SHA256
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

These config settings are important to prevent gpg from using
SHA-1, which might become insecure in the future.

Then run gpg --gen-key and accept the defaults (or change them as
you see fit; but the key should be >= 2048 bit).

Now you can sign all tarballs with gpg --armor --detach-sign and
tag the commits with git tag -s (add -u keyid if you have
multiple keys).

I attached a small patch which will take care of the signing of
the tarballs.

> (The idea that a tag signed by me is somehow "safer" than anything else
> on the master branch in the git repository is a bit far-fetched, but
> that's a different issue; nothing wrong with using the state of the art
> technology.)

The idea is not safer, but at least attributable to you. Same for
the tarball. It ensures that everybody gets the same, hopefully
trustable, version.

Regards
Simon

[1]: https://help.riseup.net/en/gpg-best-practices
[2]: https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9

From 42cbfc9e606250e3bf3d8d8930f06793429a925c Mon Sep 17 00:00:00 2001
Message-Id: <42cbfc9e606250e3bf3d8d8930f06793429a925c.1448350522.git.simon@xxxxxxxxxxxx>
From: Simon Ruderich <simon@xxxxxxxxxxxx>
Date: Tue, 24 Nov 2015 08:35:12 +0100
Subject: [PATCH] Makefile.in: sign tarballs with gpg

---
 Makefile.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Makefile.in b/Makefile.in
index cb74e94..dc86264 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -167,6 +167,7 @@ $(DISTNAME).tar.gz: FORCE
 	echo '#define ZSH_PATCHLEVEL "'`cd $(sdir_top) && git describe --tags --long`'"' >$(DISTNAME)/Src/patchlevel.h.release
 	tar cf - $(DISTNAME) | gzip -9 > $@
 	rm -rf $(DISTNAME)
+	gpg --armor --detach-sign $@
 
 targz-doc: $(DISTNAME)-doc.tar.gz
 $(DISTNAME)-doc.tar.gz: FORCE
@@ -174,5 +175,6 @@ $(DISTNAME)-doc.tar.gz: FORCE
 	    $(MAKE) $(MAKEDEFS)
 	tar cf - $(DISTNAME) | gzip -9 > $@
 	rm -rf $(DISTNAME)
+	gpg --armor --detach-sign $@
 
 FORCE:
-- 
2.6.2

Attachment: signature.asc
Description: PGP signature

References:
- zsh 5.1.1-test-1
  - From: Peter Stephenson
- Re: zsh 5.1.1-test-1
  - From: Simon Ruderich
- Re: zsh 5.1.1-test-1
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author