On 1/12/21 9:22 PM, Deep Majumder wrote:
Hi Tom,
Although I am new to the community, I think this a great idea. One question I have is how would the project key be securely stored. (Like where to store it and how to prevent leaks, I believe GitHub has a secrets feature. Would something similar be used?)

I'm not sure, this is one thing I would like advice about. If we used GitHub actions to do the signing, then using secrets would be one option. I think we could also host our own GitHub Actions runner and store the keys there.

-Tom

Warm regards,
Deep

On Wed, Jan 13, 2021, 10:43 AM Tom Stellard via llvm-dev <llvm-...@lists.llvm.org <mailto:llvm-...@lists.llvm.org>> wrote:

    Hi,

    I would like to automate the signing of some of the release files we
    upload to the release page, starting with the source tarballs.  My
    initial goal is to have a CI job that automatically creates, signs, and
    uploads the source tarballs, whenever a new release is tagged.  I would
    also like the key used for signing to be a 'project' key and not
    someone's personal key.

    Once this is done, I would like to implement something similar for the
    release binaries, so that testers could upload the binaries and have
    them automatically signed.  This will be more difficult than the source
    tarballs, because the binaries are built by individual testers, so we
    would need to prove that they come from a trust-worthy source.

    Implementing these changes, will help streamline the release process
    and
    let release managers avoid doing a lot of manual mistake-prone tasks.

    The questions I have for the community are:

    Is this a good idea?

    How can I implement this securely?

    Thanks,
    Tom

    _______________________________________________
    LLVM Developers mailing list
    llvm-...@lists.llvm.org <mailto:llvm-...@lists.llvm.org>
    https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev


_______________________________________________
lldb-dev mailing list
lldb-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev

Reply via email to