On Fri, 2017-02-24 at 14:52 +0100, Bruno Pagani wrote: > Debian wrote a nice page about this: > https://wiki.debian.org/Creating%20signed%20GitHub%20releases
This wiki offers bad advice. It trusts that GitHub itself is not compromised and will provide a good download based on the repository alone. Thankfully, because GitHub normally just uses `git archive` and those releases are deterministic, it can be solved by using your local repository alone, for example: $ git archive --format=tar.gz --prefix=mysoftware-0.4/ mysoftware-0.4 \ | gpg -a -b -o mysoftware-0.4.tar.gz.asc
signature.asc
Description: This is a digitally signed message part
