Mark, On 1/24/17 12:36 PM, Mark Thomas wrote: > On 24/01/2017 16:31, Christopher Schultz wrote: >> Mark, >> >> On 1/23/17 5:53 AM, Mark Thomas wrote: >>> I think it would be useful if we configured buildbot to publish >>> snapshots (probably as part of the daily build) to repository.a.o. >>> Therefore I have requested the appropriate credentials from infra and >>> when I have them I'll make the necessary changes tot he buildbot config. >>> It might also be necessary to tweak our build scripts. >> >> +1 >> >> Will those (non) releases be signed? > > No. Handling that is one of the tweaks I'm expecting to have to make to > the build script.
I'm kind of -0 or +0 on signing nightlies. On the one hand, they are being auto-signed which is pretty risky because anyone with access to the build server can then sign releases. On the other hand, we would certainly be using a "nightly release signer" and not e.g. markt's release-signing keys, so that's a little less risky: the signing key will clearly advertise what it's being used for. I just want to make sure that a nightly-signed release is somehow flagged by ... whoever cares to check for signatures. I wouldn't want a normal release signed by the nightly-release key to be mistaken for an official release. Is there a sane way to do that? With X.509, you'd just make sure that the nightly-release signer wasn't trusted by the root authority that everybody is supposed to trust. That way, the code is signed, but the signature isn't automatically trusted by everybody. I have no idea how the code-signing works for our releases, since I just grab the binary tarball and use that. GPG checks the signature of the file for me. But my understanding is that the code-signing that Semantec provides to us is something else entirely (e.g. signing the installer .exe for Windows). So I'm happy to be educated. -chris
signature.asc
Description: OpenPGP digital signature
