[lldb-dev] [llvm-dev] RFC: Automated signing of release files
Tom Stellard via lldb-dev
lldb-dev at lists.llvm.org
Tue Jan 12 21:41:13 PST 2021
On 1/12/21 9:22 PM, Deep Majumder wrote:
> Hi Tom,
> Although I am new to the community, I think this a great idea. One
> question I have is how would the project key be securely stored. (Like
> where to store it and how to prevent leaks, I believe GitHub has a
> secrets feature. Would something similar be used?)
I'm not sure, this is one thing I would like advice about. If we used
GitHub actions to do the signing, then using secrets would be one
option. I think we could also host our own GitHub Actions runner and
store the keys there.
> Warm regards,
> On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev
> <llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>> wrote:
> I would like to automate the signing of some of the release files we
> upload to the release page, starting with the source tarballs. My
> initial goal is to have a CI job that automatically creates, signs, and
> uploads the source tarballs, whenever a new release is tagged. I would
> also like the key used for signing to be a 'project' key and not
> someone's personal key.
> Once this is done, I would like to implement something similar for the
> release binaries, so that testers could upload the binaries and have
> them automatically signed. This will be more difficult than the source
> tarballs, because the binaries are built by individual testers, so we
> would need to prove that they come from a trust-worthy source.
> Implementing these changes, will help streamline the release process
> let release managers avoid doing a lot of manual mistake-prone tasks.
> The questions I have for the community are:
> Is this a good idea?
> How can I implement this securely?
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>
More information about the lldb-dev