Vscodium: GPG sign for Linux packages

Created on 14 Oct 2018  路  5Comments  路  Source: VSCodium/vscodium

The latest (minimum) Linux packages aren't signed - https://gitlab.com/paulcarroty/vscodium-deb-rpm-repo/issues/1

I can sign them with my repository key, but then verifications by checksums will be broken. So, I'd suggest sign them after build like MS did.

help wanted

All 5 comments

Is the recommendation that we sign the packages with a vscodium gpg key and then you include the same key in your repo?

@stripedpajamas you should generate the default key pair. Most tricky moment here - how to sign Gitlab repos with your key.

Alternative way - sign all packages with my repo keys. It breaks checksums verifications but packages can be compared via something like pkgdiff.

rng-tools should be very useful in generating GPG keys. You could probably generate your own with them

Was this page helpful?
0 / 5 - 0 ratings

Related issues

qlan3 picture qlan3  路  6Comments

Shatur95 picture Shatur95  路  4Comments

G-Ray picture G-Ray  路  6Comments

brikabrak picture brikabrak  路  6Comments

MatiasConTilde picture MatiasConTilde  路  4Comments