So, after changing from hosting my own site to publishing it to Vercel my repo’s and downloads moved to GitHub. What I didn’t take into account was GPG signing the released source code.

Now, GitHub will automatically create gzip and zip archives of each repository from tags. Great! My main dev box is currently using DragonFlyBSD which comes with NetBSD’s gzip implementaion. GitHub I would imagine uses the GNU implementation. Now, the gzip protocol makes no guarantee about a specific byte format - there are variable options. The two gzips whilst compatible with each other do not emit identical byte streams. The zip protocol is even worse for variation, and those are the two that GitHub offers in a release without scope for others.

This means I cannot sign GitHub automatic source release archives. What’s the solution then?

Well, the long and short if it is that you only sign what you have produced. As such every release now has a tar.xz source archive which I produce and a detached PGP signature is alongside it. By all means use the GitHub autogenerated archive, but they will never have my PGP signature.