On Sat, Apr 6, 2024 at 4:23 AM Johannes Zarl-Zierl <johan...@zarl-zierl.at> wrote:
> Am Freitag, 5. April 2024, 13:45:35 CEST schrieb Carl Schwan: > > On Friday, April 5, 2024 12:04:28 PM CEST Albert Vaca Cintora wrote: > > > - Tarballs should only be generated in a reproducible manner using > > > scripts. Ideally by the CI only. > > > - We should start to sign tarballs in the CI. > > > > I disagree. I want my tarball to be signed with my GPG key stored in my > > Yubiky and not by a generic KDE key. It should be a proof that I as a > > maintainer of a project did the release and not someone else. Same with > the > > upload to download.kde.org, while this adds some overhead in the > process, I > > think it is important that KDE Sysadmins are the one who move the tarball > > to their final location and do some minimal check (checksum match, it's > not > > a random person doing the release, ...). > > Signing with a KDE key could have some benefits, though. It's far easier > for > distros (or users) to check KDE software against a single, well known key. > > On could mitigate the downside that you mentioned by having the script > check > the tag signature against a keyring of trusted keys. > Please see https://invent.kde.org/sysadmin/release-keyring/ - our process for validating tarballs for release already includes ensuring the GPG signatures provided are included in that keyring. All modern releases of KDE software that come with a GPG signature whose key is not in that keyring should be rejected. Developers should also consider adding their keys to Gitlab at https://invent.kde.org/-/profile/gpg_keys Following this, your GPG key will be published at https://invent.kde.org/$username.gpg > > Cheers, > Johannes Cheers, Ben