curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Reproducing the release tarballs

From: Daniel Stenberg via curl-library <>
Date: Sat, 30 Mar 2024 19:33:20 +0100 (CET)

On Sat, 30 Mar 2024, wrote:

> While we are here … can we outline all processes to tarball - for example I
> see no signing step

I did not mention signing because it does not strictly affect the tarball as
the signature is separate. I gpg sign every release and have done so for more
than a decade.

> - also wonder if we need to consider signing tarballs (and all release
> artefacts) using cosign ?

What benefits would that bring?

  | Commercial curl support up to 24x7 is available!
  | Private help, bug fixes, support, ports, new features

Received on 2024-03-30