To quote id:87ftrpgjdb.fsf@fifthhorseman.net if the thing verified is the output of sha256sum, then the *filename* of the tarball itself is included, then the standard verification step will is sufficient to ensure that you've got the right version in the filename. This is in addition to the detached signature on the tarball --- Makefile.global | 2 +- Makefile.local | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Makefile.global b/Makefile.global index 6e17494a..27c82433 100644 --- a/Makefile.global +++ b/Makefile.global @@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz -SHA256_FILE=$(TAR_FILE).sha256 +SHA256_FILE=$(TAR_FILE).sha256.asc GPG_FILE=$(TAR_FILE).asc PV_FILE=bindings/python/notmuch/version.py diff --git a/Makefile.local b/Makefile.local index 01ba49cc..79595925 100644 --- a/Makefile.local +++ b/Makefile.local @@ -40,7 +40,7 @@ $(TAR_FILE): @echo "Source is ready for release in $(TAR_FILE)" $(SHA256_FILE): $(TAR_FILE) - sha256sum $^ > $@ + sha256sum $^ | gpg --armour --clear-sign > $@ $(GPG_FILE): $(TAR_FILE) gpg --armor --detach-sign $^ -- 2.20.1 _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch