Creating signed GitHub releases

If your software is hosted at GitHub, you may think you don’t need to do anything special to release your work for distribution.

A collection of non-sequential, undifferentiated commit hashes is not a good way to refer to known releases of your software. It is a good idea to explicitly create releases each with a clear, meaningful version string. This makes packaging work much easier and also provides an easy to use mechanism for your users to get a specific version of your software.

It is an even better idea to additionally sign your releases using your GnuPG key. This way, your users can verify whether what they received matches the same tarball you have released.

1. Create a new tag in your Git repository:

git tag mysoftware-0.4
git push --tags

2. Go to your ?GitHub project and click on the “Releases” link


3. Click on “Draft a new release”, fill out the tag, title and description field and click on “Publish release”


4. Go back to your “Releases” section and download the tarball mysoftware-0.4.tar.gz automatically generated by ?GitHub.

5. If you do not have a GnuPG key yet, learn how to create one and make sure it is uploaded to a public keyserver.

6. Sign the tarball with your key:

gpg --armor --detach-sign mysoftware-0.4.tar.gz

This should give a file called mysoftware-0.4.tar.gz.asc.

7. Edit your release again and attach the detached signature mysoftware-0.4.tar.gz.asc as binary to the release.


You have successfully created a GnuPG-signed release on ?GitHub :)


Original URL:

Original article

Comments are closed.

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑

%d bloggers like this: