[PATCH] build: sign tarball instead of sha256sum
david at tethera.net
Fri Mar 15 06:56:58 PDT 2019
Daniel Kahn Gillmor <dkg at fifthhorseman.net> writes:
> sure, though i'd change the .sha256.asc to be a clearsigned file instead
> of the current ASCII-armored OpenPGP message that it currently is (as
> Adam suggested elsewhere in this thread). And we can ditch the .sha256
> itself, which doesn't seem to be doing any useful work.
Err, wouldn't we be relying on the .sha256 file to be byte reproducible in
perpetuity then? That seems to tie us to coreutils and reduce the
options of users for verification, no?
More information about the notmuch