[PATCH] build: sign tarball instead of sha256sum
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Mar 15 06:37:57 PDT 2019
On Fri 2019-03-15 12:35:55 +0100, Adam Majer wrote:
> # osc chroot
> running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su -
> abuild
> # gpgv
> -bash: gpgv: command not found
That's surprising to me, but i'm ignorant about SUSE so you shouldn't be
surprised at my surprise :P
How does this system cryptographically verify its software updates? or
is it never updated? or updated "from the outside" or something?
> Sorry, I meant clear signed and inline. The checksum file could just be
> *.sha256 and be itself clear signed. Then people see as a checksum file
> and when they look inside, they see it as signed. There is no reason to
> have the checksum file encoded.
Ah, good call. I agree that *.sha256.asc should be a clearsigned text
file instead of an ASCII-armored PGP message. Thanks for catching that!
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://notmuchmail.org/pipermail/notmuch/attachments/20190315/1c3c3e1b/attachment-0001.sig>
More information about the notmuch
mailing list