I’ve searched quite a bit now, but I can’t find the public PGP key to verify the Caddy builds with. Is it uploaded somewhere?
I should put the link somewhere. It’s on Keybase: https://keybase.io/caddy
Ah, I see. Thanks! A link on the download page would be very nice - googling “caddy public pgp key” and similar finds nothing relevant - no references to keybase at all
Also, keybase looks nifty for some things, but unfortunately it doesn’t work like a keyserver or push public keys to one. It’s pretty neat to be able to find and import the key directly from gpg, so please consider publishing it on a normal keyserver too.
That’s a good idea, I’ll get around to it. And the Download page is ripe for some more information about what to do after downloading.
It would also be good if the signed files were also published on the GitHub page in the event the build server is down. The other advantage of the GitHub releases page is it provides a way to specify which version to download (I didn’t see a way to do this via passing a parameter to https://caddyserver.com/download/darwin/amd64.
While most folks will always want to run the latest version, requesting a specific version via curl is helpful in special use cases like a Docker image which wants to use tags to pull different versions.
I understand this functionality was omitted from the new build server by conscious decision not to make outdated versions available, but I can’t recall where on the forums (if it even was stated on these forums) that was said.
Yeah, I’ll improve GitHub releases over time.
Matthew is right; before I make it easier for people to download old versions, I want to get auto-upgrade implemented.