You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using gpg inside the VM is far more hassle that it's worth. It also appears that the key import and signing inside the VM requires a private key without a passphrase, which introduces an unnecessary security weakness (I nearly compromised my key trying to debug it), and I don't know how to do it without falling back to gnupg 1.4.
The gitian signatures do not need to be deterministic; only the information being signed is expected to be deterministic.
Signing outside the VM could still be automated. However, philosophically I also dislike that we are even attempting to automate it. The signer should have explicit control of what is signed, and that's easier if they just do it manually.
The text was updated successfully, but these errors were encountered:
Using
gpginside the VM is far more hassle that it's worth. It also appears that the key import and signing inside the VM requires a private key without a passphrase, which introduces an unnecessary security weakness (I nearly compromised my key trying to debug it), and I don't know how to do it without falling back to gnupg 1.4.The gitian signatures do not need to be deterministic; only the information being signed is expected to be deterministic.
Signing outside the VM could still be automated. However, philosophically I also dislike that we are even attempting to automate it. The signer should have explicit control of what is signed, and that's easier if they just do it manually.
The text was updated successfully, but these errors were encountered: