Sign source tarball

[kelson42]

Provide detached signature with zimlib and kiwix tarballs. Debian project now encourages upstream to provided signed tarballs so we can make sure nothing is tampered with tarball while we download
https://www.gnupg.org/gph/en/manual/x135.html

From https://sourceforge.net/p/kiwix/feature-requests/809/

[dilankavishka]

Can i work on this issue please? @kelson42

[dev-KartikSharma]

Hi @kelson42 , I noticed this issue was raised a year ago, and I wanted to check if it’s still available to work on. Is the assignment of this issue still open? I'd be happy to contribute if needed.

Thanks!

[kelson42]

@dev-KartikSharma Yes, how do you want to proceed?

[dev-KartikSharma]

to provide a detached signature for your tarballs using zimlib and kiwix can use GPG to generate and verify the signature of tarballs thats the idea i'm thinking of

[dev-KartikSharma]

Hi @kelson42,
I’ve made a few changes to builder.py to handle the GPG tarballs signature. I believe it’s ready for a PR, but I wanted to confirm if these changes align with the project's goals. Looking forward to your feedback before proceeding!
Thanks in advance!

[kelson42]

@dev-KartikSharma Please make PR so we can have a look please

[dev-KartikSharma]

I’ve submitted the PR please take a look when you get a chance. I’m waiting for your review or any suggestions for further changes.

[dev-KartikSharma]

@kelson42 was I supposed to mention you for review in the Pull request??

[kelson42]

@dev-KartikSharma yes and no... but now this is clear that your PR is ready to review.

[dev-KartikSharma]

@kelson42 it's was the first ever pr so I had no idea about it😅