[cfe-dev] [llvm-dev] RFC: Automated signing of release files
Tom Stellard via cfe-dev
cfe-dev at lists.llvm.org
Tue Jan 12 21:41:13 PST 2021
On 1/12/21 9:22 PM, Deep Majumder wrote:
> Hi Tom,
> Although I am new to the community, I think this a great idea. One
> question I have is how would the project key be securely stored. (Like
> where to store it and how to prevent leaks, I believe GitHub has a
> secrets feature. Would something similar be used?)
I'm not sure, this is one thing I would like advice about. If we used
GitHub actions to do the signing, then using secrets would be one
option. I think we could also host our own GitHub Actions runner and
store the keys there.
-Tom
> Warm regards,
> Deep
>
> On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev
> <llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>> wrote:
>
> Hi,
>
> I would like to automate the signing of some of the release files we
> upload to the release page, starting with the source tarballs. My
> initial goal is to have a CI job that automatically creates, signs, and
> uploads the source tarballs, whenever a new release is tagged. I would
> also like the key used for signing to be a 'project' key and not
> someone's personal key.
>
> Once this is done, I would like to implement something similar for the
> release binaries, so that testers could upload the binaries and have
> them automatically signed. This will be more difficult than the source
> tarballs, because the binaries are built by individual testers, so we
> would need to prove that they come from a trust-worthy source.
>
> Implementing these changes, will help streamline the release process
> and
> let release managers avoid doing a lot of manual mistake-prone tasks.
>
> The questions I have for the community are:
>
> Is this a good idea?
>
> How can I implement this securely?
>
> Thanks,
> Tom
>
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
More information about the cfe-dev
mailing list