On 02/24/2017 03:27 PM, Mike Swanson wrote:
On Fri, 2017-02-24 at 14:52 +0100, Bruno Pagani wrote:
Debian wrote a nice page about this: https://wiki.debian.org/Creating%20signed%20GitHub%20releases
This wiki offers bad advice. It trusts that GitHub itself is not compromised and will provide a good download based on the repository alone.
Thankfully, because GitHub normally just uses `git archive` and those releases are deterministic, it can be solved by using your local repository alone, for example:
$ git archive --format=tar.gz --prefix=mysoftware-0.4/ mysoftware-0.4 \ | gpg -a -b -o mysoftware-0.4.tar.gz.asc
Congratulations, you have just won today's FUD award! For everyone else on this thread, what that Wiki *really* said, is:
4. Go back to your "Releases" section and download the tarball mysoftware-0.4.tar.gz automatically generated by GitHub. Verify that the tarball contains exactly the same data as the git repository.
Also, that Wiki page actually gave the original source for Mike's plagiarized local example. But someone should probably fix that Wiki, and Mike's untested plagiarism... because I, having actually tested it myself, can confirm those commands don't work on account of someone being really confused what a "tag" is. The following git alias does work for the latest tag on $currentbranch, assuming the repo is cloned to a directory named the same as the remote repo name (but for more robustness, parse the output of `git config --get remote.$(git config --get branch.master.remote).url`). Which I believe is a reasonable assumption to make. ``` [eschwartz@arch ~]$ git config --get alias.github-archive !sh -c 'repo=$(basename $(pwd)) && tag=$(git describe --abbrev=0 --tags) && git archive --prefix=${repo}-${tag#v}/ -o ${repo}-${tag#v}.tar.gz ${tag}' ``` -- Eli Schwartz