On 1/12/21 9:22 PM, Deep Majumder wrote:
Hi Tom,
Although I am new to the community, I think this a great idea. One
question I have is how would the project key be securely stored. (Like
where to store it and how to prevent leaks, I believe GitHub has a
secrets feature. Would something similar be used?)
I'm not sure, this is one thing I would like advice about. If we used
GitHub actions to do the signing, then using secrets would be one
option. I think we could also host our own GitHub Actions runner and
store the keys there.
-Tom
Warm regards,
Deep
On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev
<llvm-...@lists.llvm.org <mailto:llvm-...@lists.llvm.org>> wrote:
Hi,
I would like to automate the signing of some of the release files we
upload to the release page, starting with the source tarballs. My
initial goal is to have a CI job that automatically creates, signs, and
uploads the source tarballs, whenever a new release is tagged. I would
also like the key used for signing to be a 'project' key and not
someone's personal key.
Once this is done, I would like to implement something similar for the
release binaries, so that testers could upload the binaries and have
them automatically signed. This will be more difficult than the source
tarballs, because the binaries are built by individual testers, so we
would need to prove that they come from a trust-worthy source.
Implementing these changes, will help streamline the release process
and
let release managers avoid doing a lot of manual mistake-prone tasks.
The questions I have for the community are:
Is this a good idea?
How can I implement this securely?
Thanks,
Tom
_______________________________________________
LLVM Developers mailing list
llvm-...@lists.llvm.org <mailto:llvm-...@lists.llvm.org>
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
_______________________________________________
lldb-dev mailing list
lldb-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
