Release signatures

Subject: Release signatures

Date: Wed, 6 Feb 2019 11:48:00 +0100



From: Adam Majer


The releases are signed in a funny way. The .asc file are not detached
signatures of the checksum, but actually contain it inside the .asc file.

# gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
gpg: WARNING: not a detached signature; file
'notmuch-0.28.1.tar.gz.sha256' was NOT verified!

A much better way of signing this would have been as a detached
signature of the tarball itself. Why sign a hash of a hash? ;)

# gpg --detach --sign notmuch-0.28.1.tar.gz
-> notmuch-0.28.1.tar.gz.sig

Then you can verify this is a properly signed binary,

# gpg -v --verify notmuch-0.28.1.tar.gz.sig
gpg: assuming signed data in 'notmuch-0.28.1.tar.gz'
gpg: Signature made Wed 06 Feb 2019 11:37:19 AM CET
gpg:                using RSA key 4BE7C1D3CC65813AF349D42F864508B01B2679CF
gpg: using subkey 864508B01B2679CF instead of primary key E523F220AC8DFBD0
gpg: binary signature, digest algorithm SHA512, key algorithm rsa3904

The digest algorithm is from the key preferences, which you can change.
You can also specify it as --digest-algo option, if you prefer.

Best regards,
- Adam

PS. I'm not on the list. Please cc me if you would like any response ;)
notmuch mailing list