Users are looking for a way to be certain that our ISO is actually from us. Perhaps we can sign the releases we make monthly?
Description
Description
Event Timeline
Comment Actions
We can perhaps sign this file: https://downloads.puri.sm/byzantium/gnome/2020-02-15/checksums.sha256sum upon each release.
Comment Actions
From @mak;
There are policy decisions needed
- which key do we sign this with?
- the archive key?
- a new key?
It's difficult to automate due to security boundaries in the infrastructure and code needs to be written for it