[CMake] GPG/PGP Signatures for binary CMake releases?

Jacob Appelbaum jacob at appelbaum.net
Fri May 23 22:06:28 EDT 2008


Hi,

I'm working on some software[0] that includes things built with CMake.

The process for building our project is semi-automated and to fully
automate it, we'd love to be able to verify your package releases.

As it stands, we can't verify that the software on your website is
correctly downloaded. It lacks even SHA1 or MD5 checksums. However, such
checksums are useful within a limited scope. Checksums can help detect
download errors but are not useful to prevent any sort of skilled
tampering by a dedicated attacker. It's important to us that we're able
to use CMake without having to worry that it was tampered with. We feel
that this is important to our users as it creates a good chain of trust
for the software we use.

Specifically, it would be great if the CMake developer team would use
GnuPG or PGP to sign current as well as future CMake releases. I could
have totally missed it but I don't believe this has been done. Am I
mistaken?

Does this seem like something that the CMake team may implement?

Best regards,
Jacob Appelbaum

[0] http://torbrowser.torproject.org/


More information about the CMake mailing list