[cfe-dev] RFC: Automated signing of release files

Tom Stellard via cfe-dev cfe-dev at lists.llvm.org
Tue Jan 12 21:13:13 PST 2021


Hi,

I would like to automate the signing of some of the release files we 
upload to the release page, starting with the source tarballs.  My 
initial goal is to have a CI job that automatically creates, signs, and 
uploads the source tarballs, whenever a new release is tagged.  I would 
also like the key used for signing to be a 'project' key and not 
someone's personal key.

Once this is done, I would like to implement something similar for the 
release binaries, so that testers could upload the binaries and have 
them automatically signed.  This will be more difficult than the source 
tarballs, because the binaries are built by individual testers, so we 
would need to prove that they come from a trust-worthy source.

Implementing these changes, will help streamline the release process and 
let release managers avoid doing a lot of manual mistake-prone tasks.

The questions I have for the community are:

Is this a good idea?

How can I implement this securely?

Thanks,
Tom



More information about the cfe-dev mailing list