-
Type:
Task
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Not Needed
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Proposal:
- Sign the libmongocrypt-all.tar.gz tarball using GaraSign.
- Make the signature available for users to verify.
- Update pymongocrypt documentation to refer to the signature. (File a PYTHON ticket?)
Background:
As part of SSDLC requirements, the Windows binary artifact is signed (MONGOCRYPT-681). This was thought to be the only relevant binary to sign in the libmongocrypt release, since it is the only binary included in the release on GitHub. However, https://pypi.org/project/pymongocrypt/ directs users to install libmongocrypt-all.tar.gz.
Alternatively: if MONGOCRYPT-841 is addressed, consider removing libmongocrypt-all.tar.gz entirely.
- is related to
-
MONGOCRYPT-841 Release signed binaries
-
- Backlog
-