Tom Stellard via llvm-dev
2021-Jan-13 05:41 UTC
[llvm-dev] RFC: Automated signing of release files
On 1/12/21 9:22 PM, Deep Majumder wrote:> Hi Tom, > Although I am new to the community, I think this a great idea. One > question I have is how would the project key be securely stored. (Like > where to store it and how to prevent leaks, I believe GitHub has a > secrets feature. Would something similar be used?)I'm not sure, this is one thing I would like advice about. If we used GitHub actions to do the signing, then using secrets would be one option. I think we could also host our own GitHub Actions runner and store the keys there. -Tom> Warm regards, > Deep > > On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev > <llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org>> wrote: > > Hi, > > I would like to automate the signing of some of the release files we > upload to the release page, starting with the source tarballs. My > initial goal is to have a CI job that automatically creates, signs, and > uploads the source tarballs, whenever a new release is tagged. I would > also like the key used for signing to be a 'project' key and not > someone's personal key. > > Once this is done, I would like to implement something similar for the > release binaries, so that testers could upload the binaries and have > them automatically signed. This will be more difficult than the source > tarballs, because the binaries are built by individual testers, so we > would need to prove that they come from a trust-worthy source. > > Implementing these changes, will help streamline the release process > and > let release managers avoid doing a lot of manual mistake-prone tasks. > > The questions I have for the community are: > > Is this a good idea? > > How can I implement this securely? > > Thanks, > Tom > > _______________________________________________ > LLVM Developers mailing list > llvm-dev at lists.llvm.org <mailto:llvm-dev at lists.llvm.org> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev >