Consider signing releases

[ottok]

Thanks for continued work on xclip and hopefully there will be a new release in 2025!

This project uses rich releases at https://github.com/astrand/xclip/releases. Could you please consider also offering signatures?

It is good practice in open source projects to publish cryptographic signatures alongside the tarball source releases, so that e.g. Linux distributions and other downstreams can use OpenPGP to verify the authenticity of the imported release.

This is not a hard requirement, just nice to have. Managing OpenPGP keys securely requires some effort. A good guide on the topic can be found at https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md/

[hackerb9]

While I like the idea, I think the loose knit nature of the development team who are allowed to make releases means a single shared PGP key is not realistic. Perhaps individual developers could sign their releases with their own keys?

[ottok]

Yes, releases can be signed with any of a known list of keys. It doesn't have to be a single key signing all releases. But the list of keys should be pre-published and not change too often.

[hackerb9]

Thank you. That sounds doable, then.