GPG sign single-file .js releases #2728

Daniel15 · 2017-02-20T02:17:03Z

Do you want to request a feature or report a bug?
Feature

What is the current behavior?
Out of all the files in the releases (eg. https://github.com/yarnpkg/yarn/releases/tag/v0.20.3), only the tarball and the MSI are signed. The tarball is signed using GPG, and the MSI is signed using an Authenticode certificate. Additionally, the .deb is signed as part of the Debian repo, but the individual file on Github is not signed.

What is the expected behavior?
We should also sign the standalone .js files (yarn-0.20.3.js and yarn-legacy-0.20.3.js).

The text was updated successfully, but these errors were encountered:

References yarnpkg/yarn#2728 References nodejs/docker-node#243

Daniel15 added the enhancement label Feb 20, 2017

Daniel15 self-assigned this Feb 20, 2017

Daniel15 mentioned this issue Feb 20, 2017

Please add yarn(awesome npm alternative) nodejs/docker-node#243

Closed

Daniel15 added a commit to Daniel15/yarn-release-infra that referenced this issue Feb 21, 2017

Sign .js release files in addition to .tar.gz files

82ab6b8

References yarnpkg/yarn#2728 References nodejs/docker-node#243

Daniel15 mentioned this issue Feb 21, 2017

Sign .js release files in addition to .tar.gz files yarnpkg/release-infra#11

Merged

Daniel15 closed this as completed Feb 21, 2017

BYK added cat-feature and removed cat-feature cat-enhancement labels Oct 26, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GPG sign single-file .js releases #2728

GPG sign single-file .js releases #2728

Daniel15 commented Feb 20, 2017

GPG sign single-file .js releases #2728

GPG sign single-file .js releases #2728

Comments

Daniel15 commented Feb 20, 2017