Github automatically generates .tar.gz and .zip packages of the repository when a release or pre-release is created under releases. However, these packages are not signed! The tag might be signed but if a user downloads one of those, there's no true certification of its content, rather than pure trust on Github.
However, you can edit a release after it's generated to upload files, and this is how you upload signature files for those packages (as I usually do). But, to sign them, you need to first download them and, of course, verify them! Otherwise, you'll be signing your trust to Github without checking!
I will be using a tool I created to do recursive blake2 checksums called b2rsum. You can use any other tool that does the same if you want.
To properly verify those packages, do the following:
- Create a temporal directory to store all files, lets call it
/tmp/github
. - Copy your source code to a subdirectory there:
cp -r ~/code/myproject /tmp/github/orig
. - Remove files that aren't used (such as compiled files and gitignored files) and the .git directory in
/tmp/github/orig
. This is to make verification easier with no false positives. - Go into the directory and create a checksum file:
cd /tmp/github/orig
b2rsum -o .
- Go back up and download a Github package, then extract it:
cd /tmp/github
wget -O {package}.tar.gz https://github.com/{user}/{project}/archive/{tag}.tar.gz
tar -xf {package}.tar.gz
- Go into the extracted directory and verify that all the files that are supposed to be there, are there. And that they are the exact same as intended:
cd /tmp/github/{project-dir}
b2rsum -c /tmp/github/orig/BLAKE2SUMS
- Create a checksums file for this directory:
b2rsum -o .
. - Go into the orig dir and check against that checksums file that no extra file was added to the package:
cd /tmp/github/orig
b2rsum /tmp/github/{project-dir}/BLAKE2SUMS
- If all checks went well, now the package can be signed. Discard the extracted dir:
cd /tmp/github
rm -rf {project-dir}
-
- Sign using minisign (recommended):
minisign -Sm {package}.tar.gz
-
- Sign using GPG:
gpg --sign --detach-sign --interactive --verbose --digest-algo sha512 -o {package}.tar.gz.sig {package}.tar.gz
- That's it! Repeat for the other package (.zip in this example) and upload the signatures to the release.