Adam Majer <amajer@suse.de> writes: > Hello, > > The releases are signed in a funny way. The .asc file are not detached > signatures of the checksum, but actually contain it inside the .asc file. > > # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc > ... > gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072 > gpg: WARNING: not a detached signature; file > 'notmuch-0.28.1.tar.gz.sha256' was NOT verified! > > A much better way of signing this would have been as a detached > signature of the tarball itself. Why sign a hash of a hash? ;) I'm not sure why Carl did it that way 10 years ago. Perhaps Carl remembers? Offhand, I don't see any reason not to go with a more standard detached signature, other than it needs someone to do the relevant work. d _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch