Created
December 10, 2016 05:54
-
-
Save desyncr/4be22cdaea5fb10b50586feb066af339 to your computer and use it in GitHub Desktop.
Notes on making a signed software release
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Notes on making a signed software release | |
========================================= | |
Create a signed tag called NAME-VERSION with | |
git tag --message=NAME-VERSION --sign NAME-VERSION | |
Generate a release tar.gz and signature with | |
git archive --output=NAME-VERSION.tar.gz --prefix=NAME-VERSION/ NAME-VERSION | |
zcat NAME-VERSION.tar.gz | gpg --armor --detach-sign >NAME-VERSION.tar.sign | |
Verify the signature with | |
zcat gist-1.0.tar.gz | gpg --verify gist-1.0.tar.sign - | |
Generate a tar.bz2 or tar.xz if required with | |
zcat NAME-VERSION.tar.gz | bzip2 - >NAME-VERSION.tar.xz | |
zcat NAME-VERSION.tar.gz | xz - >NAME-VERSION.tar.xz | |
Upload the release tarball(s) and detached signature file to the Github | |
project download area, and update arachsys.github.com/index.md with the new | |
links if necessary. | |
Example: | |
git tag --message=gist-1.0 --sign gist-1.0 | |
git archive --output=gist-1.0.tar.gz --prefix=gist-1.0/ gist-1.0 | |
zcat gist-1.0.tar.gz | gpg --armor --detach-sign >gist-1.0.tar.sign | |
zcat gist-1.0.tar.gz | gpg --verify gist-1.0.tar.sign - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment