Release signatures

David Bremner david at tethera.net
Sun Feb 10 05:51:01 PST 2019


Adam Majer <amajer at suse.de> writes:

> Hello,
>
> The releases are signed in a funny way. The .asc file are not detached
> signatures of the checksum, but actually contain it inside the .asc file.
>
> # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
> ...
> gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
> gpg: WARNING: not a detached signature; file
> 'notmuch-0.28.1.tar.gz.sha256' was NOT verified!
>
> A much better way of signing this would have been as a detached
> signature of the tarball itself. Why sign a hash of a hash? ;)

I'm not sure why Carl did it that way 10 years ago. Perhaps Carl
remembers?  Offhand, I don't see any reason not to go with a more
standard detached signature, other than it needs someone to do the
relevant work.

d


More information about the notmuch mailing list