Signed vs. unsigned releases

[apyrgio]

Hi! I've noticed that the v0.6.3 release does not offer a signed vfkit binary, as v0.6.1 did. I wanted to ask if this is intended, and if yes, how we can verify this binary. For example, is there a signature somewhere, can we reproduce it locally?

[cfergeau]

The unsigned binary comes from github actions https://github.com/crc-org/vfkit/actions/runs/20855729478 , but for some reason the binary is no longer there to allow to check it’s the correct one :-/
I’ll look at adding a signed binary as it’s indeed not clear where the unsigned one came from and it cannot be checked.
A local build (using make) from the tag should generate a similar binary, but I don’t think it will be bit for bit identical (ie no reproducible builds)

[apyrgio]

Thank you, much appreciated 🙂

[apyrgio]

Hi! Quick check for the possibility of adding signed binaries, since I'm a bit unclear on what's the resolution here. If that's not an option, that's understandable, I'll close this issue and proceed with the unsigned ones.