Github automatically generates .tar.gz and .zip packages of the repository when a release or pre-release is created under releases. However, these packages are not signed! The tag might be signed but if a user downloads one of those, there's no true certification of its content, rather than pure trust on Github.
However, you can edit a release after it's generated to upload files, and this is how you upload signature files for those packages (as I usually do). But, to sign them, you need to first download them and, of course, verify them! Otherwise, you'll be signing your trust to Github without checking!
I will be using a tool I created to do recursive blake2 checksums called b2rsum. You can use any other tool that does the same if you want.
To properly verify those packages, do the following:
- Create a temporal directory to store all files, lets call it
/tmp/github
. - Copy your source code to a subdirectory there:
cp -r ~/code/myproject /tmp/github/orig
.