doc/Release.md
As of the PrivateBin 1.0 release we cryptographically sign our git commits and tags, so that you can verify we actually developed the software. Later, we also started signing the release archives on GitHub and retroactively signed all releases from 1.0 forward.
Since release 1.6.2 our release assets additionally also are verified with the SLSA (Supply-chain Levels for Software Artifacts) framework, providing an in-toto manifest of the release archive.
This achieves the following:
For more information see the corresponding issue and the GitHub workflow file.
All releases .tar.gz and .zip archives since 1.0 come with corresponding .asc signatures that can be used to confirm the authenticity of the fact that the release has been issued by a PrivateBin maintainer.
This uses traditional PGP signatures.
You can use the gpg signatures for verifying the reproducibility and that a maintainer in posession with that PGP private key created the release with that content:
$ gpg2 --verify 1.6.2.tar.gz.asc
gpg: assuming signed data in '1.6.2.tar.gz'
gpg: Signature made Fri Dec 15 06:21:08 2023 UTC
gpg: using RSA key 28CA7C964938EA5C1481D42AE11B7950E9E183DB
gpg: Good signature from "PrivateBin release (solely used for signing releases)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 28CA 7C96 4938 EA5C 1481 D42A E11B 7950 E9E1 83DB
For a more step-by-step guide in detail see this FAQ.
SLSA verification can be performed using the SLSA verifier.
The release process is outlined in the release checklist. The key manual steps are performed using a Makefile and using a shell script.