Preface
I have, at long last, decided to publish a GPG public key. As time goes on the security landscape becomes increasingly dangerous. Some people are publishing malicious software libraries to established projects, sharing software that has been modified, and impersonating other people. So how are we to trust anything that's shared online? How can you trust that my software comes from me and not someone who acquired my code-base? The answer is digital signatures.
GPG
You probably know of GPG, the tool for creating and managing public-private keys-pairs. GPG can:
- make keys for creating a digital signature, to provde the authenticity of a document/ file
- make keys for encrypting a document/ file, to ensure only the holder of the private key can read decrypt and read the data
If you download my GPG key you can import it into your keychain, and henceforth verify that an asset was signed by me. Or, you can encrypt a file and send it to me (but that's not an invitation for unsolicited email). I have uploaded the public key to the Ubuntu Key Server as well to make it easy for people to find.
See the section entitled Importing a public key in the manual for information on how to import the key and sign it with your key to trust it.
What's the plan, Dan?
I've started to sign my commits, something I wish I had been doing since the beginning. My contributions can be verified by checking signed commits with my public key. I will likely begin providing signatures for snaps and any binary executables I publish, and I may spend some time one evening to do this retrospectively as well.
Round-up
That's it, a short and simple message. I would encourage you to sign your commits and to provide digital signatures for important assets you share to prove their authenticity.
Thanks, Daniel.