Suggestions for managing the private key for an open-source project?
Asked by
Steve Voida
Hi Andy and company,
Now that Sparkle requires signed code, can anyone offer a recommendation about good strategies for handling the private key in the context of an open-source project? My gut instinct is that the private key should remain at least semi-private (e.g., posted in the SSH space on SourceForge that only approved developers can access) so that I can provide the users some piece of mind that Sparkle is only picking up project-sanctioned updates. On the other hand, it *is* a project that I want others to be able to pick up and use, so locking the key away also seems sub-optimal.
Does anyone else have a good solution for what to do in this case? Any suggestions would be greatly appreciated.
Best,
Steve
Question information
- Language:
- English Edit question
- Status:
- Solved
- For:
- Sparkle Edit question
- Assignee:
- No assignee Edit question
- Solved by:
- Andy Matuschak
- Solved:
- Last query:
- Last reply:
To post a message you must log in.