[llvm-dev] RFC: Automated signing of release files
Tom Stellard via llvm-dev
llvm-dev at lists.llvm.org
Tue Jan 12 21:13:13 PST 2021
I would like to automate the signing of some of the release files we
upload to the release page, starting with the source tarballs. My
initial goal is to have a CI job that automatically creates, signs, and
uploads the source tarballs, whenever a new release is tagged. I would
also like the key used for signing to be a 'project' key and not
someone's personal key.
Once this is done, I would like to implement something similar for the
release binaries, so that testers could upload the binaries and have
them automatically signed. This will be more difficult than the source
tarballs, because the binaries are built by individual testers, so we
would need to prove that they come from a trust-worthy source.
Implementing these changes, will help streamline the release process and
let release managers avoid doing a lot of manual mistake-prone tasks.
The questions I have for the community are:
Is this a good idea?
How can I implement this securely?
More information about the llvm-dev