Request: GPG-sign releases or commits

[erikarvstedt]

While packaging trustedcoin for nix-bitcoin, where we use signature checking for all package releases, I noticed that trustedcoin provides no signatures at all.
Could you add sigs? This would remove Github as a trusted party for distributing trustedcoin.

(Yes, it's slightly amusing to request this for a package like trustedcoin.)

[fiatjaf]

I have no idea of how to do this. Is there a guide somewhere? Do the signatures have to be in some special place or something like that? What about the key?

[erikarvstedt]

1. If you don't have a GPG key, generate it,
2. Add the key to GitHub
3. Follow section Telling Git about your GPG key
4. Publish the pubkey to keyservers:

# key is the same hex string that you used in `git config --global user.signingkey <key>`
key=<key>
gpg --send-keys --keyserver hkps://keys.openpgp.org $key
gpg --send-keys --keyserver hkps://keyserver.ubuntu.com $key

5. To sign all future commits in a git repo, run git config commit.gpgsign true in the repo.
   To configure this for all repos, change the global config: git config --global commit.gpgsign true

[fiatjaf]

Thank you for the guide. I think this should be done. Let me know if not.

[erikarvstedt]

Done, indeed. Thank you!