Why should I create signed releases?

If your software is hosted at GitHub, you may think you don't need to do anything special to release your work for distribution.

A sequence of commit hashes is not a good way to access known releases of your software. It is a good idea to explicitly create releases each with a clear, meaningful version string. This makes packaging work much easier and also provides an easy to use mechanism for your users to get a specific version of your software.

It is an even better idea to additionally sign your releases using your GnuPG key. This way, your users can verify whether what they received matches the same tarball you have released.

Creating GnuPG-signed releases on GitHub

1. Create a new tag in your Git repository:

git tag mysoftware-0.4
git push --tags

2. Go to your ?GitHub project and click on the "Releases" link

releases.png

3. Click on "Draft a new release", fill out the tag, title and description field and click on "Publish release"

fillout.png

4. Go back to your "Releases" section and download the tarball mysoftware-0.4.tar.gz automatically generated by ?GitHub.

5. If you do not have a GnuPG key yet, learn how to create one and make sure it is uploaded to a public keyserver.

6. Sign the tarball with your key:

gpg --armor --detach-sign mysoftware-0.4.tar.gz

This should give a file called mysoftware-0.4.tar.gz.asc.

7. Edit your release again and attach the detached signature mysoftware-0.4.tar.gz.asc as binary to the release.

attach.png

You have successfully created a GnuPG-signed release on ?GitHub :)

result.png