Release signatures
Adam Majer
amajer at suse.de
Wed Feb 6 02:48:00 PST 2019
Hello,
The releases are signed in a funny way. The .asc file are not detached
signatures of the checksum, but actually contain it inside the .asc file.
# gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
...
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
gpg: WARNING: not a detached signature; file
'notmuch-0.28.1.tar.gz.sha256' was NOT verified!
A much better way of signing this would have been as a detached
signature of the tarball itself. Why sign a hash of a hash? ;)
# gpg --detach --sign notmuch-0.28.1.tar.gz
-> notmuch-0.28.1.tar.gz.sig
Then you can verify this is a properly signed binary,
# gpg -v --verify notmuch-0.28.1.tar.gz.sig
gpg: assuming signed data in 'notmuch-0.28.1.tar.gz'
gpg: Signature made Wed 06 Feb 2019 11:37:19 AM CET
gpg: using RSA key 4BE7C1D3CC65813AF349D42F864508B01B2679CF
gpg: using subkey 864508B01B2679CF instead of primary key E523F220AC8DFBD0
...
gpg: binary signature, digest algorithm SHA512, key algorithm rsa3904
The digest algorithm is from the key preferences, which you can change.
You can also specify it as --digest-algo option, if you prefer.
Best regards,
- Adam
PS. I'm not on the list. Please cc me if you would like any response ;)
More information about the notmuch
mailing list