Am I the only person in the universe who verifies #PGP signatures for software source tarballs? This is the *second* time I've had to report this exact same ticket on the #etcd project: https://github.com/etcd-io/etcd/issues/11094
And the fact that they're replacing PGP signatures with a tool whose README (a) has a big warning that it's alpha-quality and should not be used, and (b) says that it is not a suitable replacement for PGP signatures and should not be used as such...
@roguelazer My package manager does it automatically for me.
Interesting because it seems they’re signing their git tags diligently: https://github.com/etcd-io/etcd/releases
I wonder what do they mean by “having access to the signing key”. Sadly there are no procedures for access described on https://coreos.com/security/app-signing-key/
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!