[PATCH] build: sign tarball instead of sha256sum

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Mar 15 06:37:57 PDT 2019


On Fri 2019-03-15 12:35:55 +0100, Adam Majer wrote:
> # osc chroot
> running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su - 
> abuild
> # gpgv
> -bash: gpgv: command not found

That's surprising to me, but i'm ignorant about SUSE so you shouldn't be
surprised at my surprise :P

How does this system cryptographically verify its software updates?  or
is it never updated? or updated "from the outside" or something?

> Sorry, I meant clear signed and inline. The checksum file could just be 
> *.sha256 and be itself clear signed. Then people see as a checksum file 
> and when they look inside, they see it as signed. There is no reason to 
> have the checksum file encoded.

Ah, good call.  I agree that *.sha256.asc should be a clearsigned text
file instead of an ASCII-armored PGP message.  Thanks for catching that!

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20190315/1c3c3e1b/attachment-0001.sig>


More information about the notmuch mailing list