New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release GPG-signed binary #563
Comments
I agree with the idea, if the team wants to, they can do something like tails team does that is share a key with a selected member of members using for example Shamir's_secret_sharing and having backup people. |
@aikooo7 SSSS is not really suitable for this. Just make multiple signatures so that we can avoid problems if one of the signing machines is compromised. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is basically a replacement of #537
To avoid
cargo-crev
itself being compromised it'd be helpful for a few independent developers to sign its, deterministically-built, binary and publish it with release. This also bypasses the problem of getting the newest Rust from trusted source (assuming the maintainers did).GPG is widely-used, understood and available in distros so I think it's the best choice. The keys can be distributed via keybase or other independent channels.
The text was updated successfully, but these errors were encountered: