Missing signature for 2.8.0 release

[atsampson]

NUT tarball releases usually have a GPG signature so packagers can verify they're legitimate.

However, the 2.8.0 release doesn't seem to have one - the link on the download page is broken, and there's no file in the download directory.

[jimklimov]

Yes, that is now a "known oversight" since change of maintainer some time back; nobody in the current team has jumped through the loops recommended for a GPG key yet, and GitHub commit validation was deemed similar enough in practice when the ritual keys were handed over.

But still, thanks for the reminder and I hope to get around to this. Got some reading to do first:

• https://www.kernel.org/doc/html/latest/process/maintainer-pgp-guide.html
• https://docs.fedoraproject.org/en-US/quick-docs/create-gpg-keys/
• https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md

[atsampson]

Great - thanks, Jim!

[jimklimov]

So... it took a while to get feet wet, but now I have a GPG key pushed out to some registries like openpgp, debian and ubuntu. Wondering what the next part is, if some distros or their keychains should include me in packages? Just spread the word on NUT website and in the NEWS file? :)

[jimklimov]

FWIW, my fancy new GPG key ID is below:

$ gpg --recv-key DE0184DA7043DCF7
gpg: key DE0184DA7043DCF7: public key "Jim Klimov (Doing FOSS since last millennium) <jimklimov@gmail.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

[jimklimov]

Tagged https://github.com/networkupstools/nut/releases/tag/v2.8.0-signed and posted the signature file (nut-website "source" repo and github release attachment).

[jimklimov]

networkupstools/networkupstools.github.io@dc3665a

[jimklimov]

SIG file finally got made and published, this issue is resolved :)

(There is another related issue of Download page offering a non-release tag currently; however it is possible to get through the "You can also browse the stable source directory" link for verification).