[lldb-dev] [llvm-dev] RFC: Automated signing of release files

Tom Stellard via lldb-dev lldb-dev at lists.llvm.org
Tue Jan 12 21:41:13 PST 2021


On 1/12/21 9:22 PM, Deep Majumder wrote:
> Hi Tom,
> Although I am new to the community, I think this a great idea. One 
> question I have is how would the project key be securely stored. (Like 
> where to store it and how to prevent leaks, I believe GitHub has a 
> secrets feature. Would something similar be used?)

I'm not sure, this is one thing I would like advice about.  If we used 
GitHub actions to do the signing, then using secrets would be one 
option.  I think we could also host our own GitHub Actions runner and 
store the keys there.

-Tom

> Warm regards,
> Deep
> 
> On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev 
> <llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>> wrote:
> 
>     Hi,
> 
>     I would like to automate the signing of some of the release files we
>     upload to the release page, starting with the source tarballs.  My
>     initial goal is to have a CI job that automatically creates, signs, and
>     uploads the source tarballs, whenever a new release is tagged.  I would
>     also like the key used for signing to be a 'project' key and not
>     someone's personal key.
> 
>     Once this is done, I would like to implement something similar for the
>     release binaries, so that testers could upload the binaries and have
>     them automatically signed.  This will be more difficult than the source
>     tarballs, because the binaries are built by individual testers, so we
>     would need to prove that they come from a trust-worthy source.
> 
>     Implementing these changes, will help streamline the release process
>     and
>     let release managers avoid doing a lot of manual mistake-prone tasks.
> 
>     The questions I have for the community are:
> 
>     Is this a good idea?
> 
>     How can I implement this securely?
> 
>     Thanks,
>     Tom
> 
>     _______________________________________________
>     LLVM Developers mailing list
>     llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>
>     https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
> 



More information about the lldb-dev mailing list