Suggest use of PGP Validation on Mist Releases

[danielmcclure]

Thanks for developing and Mist and bringing on board earlier suggestions of issuing checksums with releases. I noticed that GitHub now allows for GPG verification of releases and believe this would be a great addition to the release cycle for software that interacts with so much value on a daily basis.

https://github.com/blog/2144-gpg-signature-verification

[Nogreedy]

+1
Mist is great
Of course, we have MD5 hash to check validity but we need PGP Validation on Mist Releases.
Thanks @alexvandesande

[SecTec]

+1
The missing PGP verification prevents me from installing the Ethereum client.

[evertonfraga]

Wonderful.

I did my first signed commit and I'll definitely look into tagging the following releases (0.8.2 is already on the way, so hope to have it on following versions).

@luclu @alexvandesande @frozeman @hiddentao
Do you have any suggestions about managing a team GPG key, instead of signing from individual key?

[evertonfraga]

Done in 0.8.3. I'll bug everyone on the following releases so we keep having them verified.

Thanks @danielmcclure .

[danielmcclure]

Great to see signing in this version! To back up the key signing it would also be useful to have each of the developers public keys available to view on GitHub (not sure if I'm just missing this, I only see fingerprint) but also to have them listed on a third party such as the official Ethereum site so that new users can verify between platforms and both platforms would have to be compromised for somebody to sneak a rogue key in.

[luclu]

Infrastructure still not complete yet: #1184

[maxme]

version 0.8.4 is not signed also I noticed tag naming inconsistency v0.8.4, 0.8.3

[evertonfraga]

@maxme As for the version naming, we changed to "v" prefix, in order to fit our new automated build process.

About PGP: I've signed the 0.8.3 tag manually. And 0.8.4 wasn't signed. work is being done in order to automate all those steps.