Re: [PATCH] build: sign tarball instead of sha256sum

Subject: Re: [PATCH] build: sign tarball instead of sha256sum

Date: Fri, 15 Mar 2019 09:37:57 -0400

To: Adam Majer, David Bremner, Carl Worth,


From: Daniel Kahn Gillmor

On Fri 2019-03-15 12:35:55 +0100, Adam Majer wrote:
> # osc chroot
> running: sudo chroot /var/tmp/build-root/openSUSE_Tumbleweed-x86_64 su - 
> abuild
> # gpgv
> -bash: gpgv: command not found

That's surprising to me, but i'm ignorant about SUSE so you shouldn't be
surprised at my surprise :P

How does this system cryptographically verify its software updates?  or
is it never updated? or updated "from the outside" or something?

> Sorry, I meant clear signed and inline. The checksum file could just be 
> *.sha256 and be itself clear signed. Then people see as a checksum file 
> and when they look inside, they see it as signed. There is no reason to 
> have the checksum file encoded.

Ah, good call.  I agree that *.sha256.asc should be a clearsigned text
file instead of an ASCII-armored PGP message.  Thanks for catching that!

signature.asc (application/pgp-signature)
notmuch mailing list