[PATCH] build: sign tarball instead of sha256sum

David Bremner david at tethera.net
Fri Mar 15 06:56:58 PDT 2019

Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:

> sure, though i'd change the .sha256.asc to be a clearsigned file instead
> of the current ASCII-armored OpenPGP message that it currently is (as
> Adam suggested elsewhere in this thread).  And we can ditch the .sha256
> itself, which doesn't seem to be doing any useful work.
>       --dkg

Err, wouldn't we be relying on the .sha256 file to be byte reproducible in
perpetuity then? That seems to tie us to coreutils and reduce the
options of users for verification, no?


More information about the notmuch mailing list