Feature request: Signed releases

Question

Feature request: Signed releases

avanier opened this issue 7 years ago · 2 comments

Would it be possible to have signed binary releases? Right now, if I want to get binaries that I know represent the code available at a given version, I have to pull from GitHub and compile the code myself.

GPG FTW.

Answer 1 · 2018-02-08T19:44:15.000Z

That'd be nice indeed. You don't want fake packages to go leak all your secrets xD

Answer 2 · 2018-02-08T21:52:40.000Z

Yes, I have thought about signed releases and will likely do this in the future. Although, I'm not sure how far in the future. It probably won't be in the next release.

A signed package does not guarantee the source code from which it is compiled.

But the concern is valid. I, too, am paranoid, and would expect signed releases in the future.