[Borgbackup] Signed (Unofficial) Windows installers
Thomas Waldmann
tw at waldmann-edv.de
Wed Sep 14 20:19:39 EDT 2016
On 09/15/2016 02:00 AM, Billy Charlton wrote:
> I've been building unofficial Windows installers since borg 1.0.
> Recently on the installer's GitHub issue [1] it was suggested that I
> sign them with GPG. So, I've set that up. I've added a signature for
> release 1.0.7 and will sign future builds as well.
Great! :)
>
> I'm new to this though, so I have some questions:
> - Do you want my public key? I uploaded it to pgp.mit.edu
> <http://pgp.mit.edu>
That is enough. It should be also available from other keyservers now.
What you should publish though is your full key fingerprint, so people
can make sure they really got the right one.
gpg --fingerprint YOURID
> [2] -- does someone want to verify that or something?
That would be useful, but usually has to be done personally to verify
documents (passport, ID) against person.
To get at least some signatures, maybe attend some gpg keysigning party
at a hackerspace or event.
> - Is there somewhere else I should push these or announce the builds?
You could publish them on github in your own repository.
If you sign it with gpg (and users verify your signature), the
distribution channel doesn't matter much though as people can make sure
it is stuff from you and it is unmodified as you released it.
--
GPG ID: 9F88FB52FAF7B393
GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
More information about the Borgbackup
mailing list