[feature] Consider Implementing Code Signing and Providing Hash Lists for Conan Releases

[czoido]

Coment from Slack:

Hi folks, does anyone know why Conan releases aren't code-signed (e.g. by JFrog) or come at the very least with a hash list to integrity-check the download? I tried looking for open or closed tickets, but the sheer number was overwhelming, so I am not sure if this came up before.
Essentially anything I get I have to take at face value and I have no way of telling whether it is what was uploaded. A hash list and potentially a PGP-signature would already help as well.
Other projects use JSON or YAML files to describe the artifacts in a release which can then also be used by Chocolatey or WinGet to automate the releases to those package managers.

We could consider implementing code signing for the releases to allow users to verify that the files have indeed been issued by us and have not been altered since they were signed.

Providing a hash list (e.g., SHA-256) for each release would enable users to check the integrity of the downloaded files against the provided hashes.

[gerowam]

Just want to bump this. We're in a fairly high-security environment, and so far Conan 2 has been amazing, but we'll need to wait until a feature like this is available before we start using it for our production builds.

[czoido]

Hi @gerowam,

Thanks for your comments. Since version 2.6.0, which has just been released, we are signing the tag for the release and also providing a file with the hashes for all the released files along with the signed hashes.
You can check the new release here: https://github.com/conan-io/conan/releases/tag/2.6.0
The GPG key ID is: B6A4BE3775D17B04

Closing this issue as completed. Please, feel free reopen or open a new issue for any more questions about this.