Godot: Sign official Godot releases with GPG

Created on 8 Mar 2016 · 9Comments · Source: godotengine/godot

In last month there were two situations in which Open Source Software website got hacked and filled with trojan horses/ransomware ( Linux Mint, Transmission ). I remember, that Godot website was also often target of crackers ( mostly when it was hosted on Wordpress )...

So, I think that all files put on website should be signed with GPG keys ( and it would be goog if those keys got signed by some other people that you met in person in real life ), so we will be sure it's not a malware.

@reduz @punto- @akien-mga

enhancement buildsystem

Source

Marqin

👍2

All 9 comments

I have no clue how to do it, but yeah it would be a good idea :)

akien-mga on 8 Mar 2016

🎉1

In most ideal case we should also sign all commits ( like here ).

Debian have some nice docs about signing, and there is this list of good practices.

Marqin on 8 Mar 2016

One problem with signing commits is that bzr-git doesn't work with it: https://bugs.launchpad.net/ubuntu/+source/bzr-git/+bug/1084403

But there already is one commit in godot that's signed, so we can forget compat with bzr-git.

Signing binaries / release tags? Very nice!

est31 on 10 Mar 2016

👍1

For the context: bzr-git is the classical way to do nightly build PPAs.

est31 on 10 Mar 2016

👍1

Launchpad supports GIT from some time. It's still not possible to push to
PPAs with it?

2016-03-10 23:56 GMT+01:00 est31 [email protected]:

For the context: bzr-git is the classical way to do nightly build PPAs.

—
Reply to this email directly or view it on GitHub
https://github.com/godotengine/godot/issues/3989#issuecomment-195088247.

Marqin on 11 Mar 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

But there already is one commit in godot that's signed, so we can forget compat with bzr-git.

All my commits in Godot are signed with my key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJW4gBvAAoJEDB4s+IRDWlHBmoP/0y5gFh1+j3DZjQP/+JvEExB
d9TJiKKAWP4oBO0ozUl2nn78F937DPvurIFQuqFpoWybTZbUD1B7zwH/ftS8+KaJ
89VladNDCQmoKxCxnxJ9Eg2vUpJcVFQbLJ6Djk80aBIT6gTqf5+QZfUkDsvqQhjJ
04sZ5vS+liRd0+FjTWvd8zlAW+hNt9aRNQCWLnKUWQXf39u2y3nh8b9/yxYWj/60
U/HCjPTNtBTcaXlcpHgEwA4GPKdPyByW9cXOxsgyRP7ckcmvxyGb+PBH/6K3LcPZ
37rjVfER700108uCW+bTcS4Ug4GPRMJHIDrUTrDiTAitXifjqJQoTeqGAuUpiP1l
2CZSgt+ZHJ2OpEhj+FKckCEwSnS+pnqZUtfrJmkshLTN6AXIsW//2fwtvdgdPUoi
qDJcc1wWTaZXHbtj+MMK3F3t266BSXX+AXKyYeFfxxDk3mnFJfX6cp1YbuMVyrGP
Gy/B6bhvsWu3IkObRQexf9qDi9Nxa8PtGwYZ+754U9yA0zbkFr+wNxGHMr1efSUJ
KdwUpn03h//1AHx9IYG0p9PTa+NsbF9381oYZnxJoMaFV4L9npwCND9EyiJyhgHI
IN0HeNF29uA2YX+qi9NHt/TCI6dvH5eXbAnvf8yNfIimNMTZ816X8B44JKiSg/Qi
0u5xx42Qc8p6JueCkf0w
=juZQ
-----END PGP SIGNATURE-----

^ that signature is a joke, but yes, I do sign all my commits by default since some time

Marqin on 11 Mar 2016

That sounds like a bzr-git problem to me, not a Godot problem.

adolson on 11 Mar 2016

👍1

By the way, when it comes to signing commits, the Git client I use, GitKraken, now has automated signing. I can simply give GitKraken my GPG key information and it automatically signs my commits. You can expect all future commits from me to be GPG signed (shows up as "Verified" on GitHub).

aaronfranke on 18 Apr 2019

Do we still plan on doing this? Manual GPG verification for "end user" software seems to be on the way out, unless it's required by the package manager (apt, DNF, ...). This is even more true now that official Windows binaries are code signed.