| Summary: | ITS Tool releases could be PGP-signed | ||
|---|---|---|---|
| Product: | ITS Tool | Reporter: | Tanguy Ortolo <tanguy+freedesktop.org> |
| Component: | general | Assignee: | Shaun McCance <shaunm> |
| Status: | NEW --- | QA Contact: | |
| Severity: | enhancement | ||
| Priority: | low | Keywords: | security |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| i915 platform: | i915 features: | ||
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.
Hello, It possible, it would be nice to PGP-sign ITS Tool releases, in addition or in place of the existing SHA-256 checksums. That would allow users to check they are not downloading a rogue version created to create a security breach in their systems. Notably, the Debian operating system can automatically check upstream releases, which allows to build a full security chain since the packages derived from them are also signed! If you have a working installation of GnuPG, that can be done with the following command: $ gpg --detach-sign itstool-2.0.2.tar.bz2 Regards, -- Tanguy Ortolo