No releases?

Question

No releases?

Opened this issue 4 months ago · 7 comments

The README points to https://github.com/romanz/trezor-agent/blob/master/releases, but there are no releases. Is this intentional?

There seem to be releases on pypi, but those are not signed, which seems a bit problematic (and ironic!), given the nature of this project.

Answer 1 · 2024-09-04T17:26:32.000Z

Good catch, thanks!

Answer 2 · 2024-09-04T17:27:30.000Z

I will update the docs, and prepare a new signed PyPI release :)

Answer 3 · 2024-09-05T18:42:28.000Z

Unfortunately, it seems the PyPI doesn't support PGP signatures :(
https://blog.pypi.org/posts/2023-05-23-removing-pgp/

Answer 4 · 2024-09-05T18:43:40.000Z

I will make sure the git tags are signed using https://romanzey.de/pgp.txt - so you should be able to verify them using:

git tag -v v0.15.0 
object 868975fb0cf2941bad51d283f64e1661ace4c8f4
type commit
tag v0.15.0
tagger Roman Zeyde <me@romanzey.de> 1725560687 +0300

Bump version: 0.14.8 → 0.15.0
gpg: Signature made Thu 05 Sep 2024 09:24:47 PM IDT
gpg:                using ECDSA key 15C8C3574AE4F1E25F3F35C587CAE5FA46917CBB
gpg:                issuer "me@romanzey.de"
gpg: Good signature from "Roman Zeyde <me@romanzey.de>" [ultimate]
gpg:                 aka "Roman Zeyde <roman.zeyde@gmail.com>" [ultimate]

Answer 5 · 2024-09-05T21:07:05.000Z

Maybe you could add signed tarballs to GitHub? That makes it much easier for distros to consume it.

Answer 6 · 2024-09-06T11:03:18.000Z

Would https://github.com/romanz/trezor-agent/releases/tag/v0.15.0 be OK?

Answer 7 · 2024-09-07T10:43:41.000Z

That looks good, but is only libagent?