Skip to content

Sign releases using GPG #26

New issue
New issue
Open
Open
Sign releases using GPG#26
@sudomateo

Description

@sudomateo
sudomateo
opened on Jun 24, 2025

Sign releases using GPG when it makes sense to do so. Originally it was decided not to sign releases with GPG for the following reasons.

  • The packer init command does not do any GPG verification when downloading and installing plugins. Most users are going to use packer init to install this plugin rather than manually verifying the GPG signature first.
  • Oxide doesn't publish public GPG keys. If we signed releases with GPG keys we'd have to host the public GPG key somewhere. One thought was to include the public key in this GitHub repository but then both releases and the GPG public key would be hosted on GitHub, reducing the security model to GitHub's TLS.

To be clear, we're not opposed to GPG signing releases. It's just not something that's worth doing until it can be done well.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions