Closed adapt-L closed 2 months ago
It is a custom format. You can take https://github.com/monero-project/monero-gui/blob/master/.github/verify_p2pool.py as a reference of how to verify it.
Okay, i've written my script to parse your custom format, but I think it would be better for you to produce something like a gpg-signed output of sha256sum (which has the hash and filename on the same line), and I would be willing to write you a new signing script if you would allow. As you can see, the verification script is very complicated: https://github.com/gentoo/guru/commit/4c2441b92e050bf1de11b4ac34877525eeb4943c . I assume you're using python because you're developing on windows and thus don't have easy access to bash?
I suppose you could also just sign the files independently, but I think you are using a signed-list-of-hashes because you want to associate the binary releases with their associated source code. It would simply the verification on my end if you also produced a detached signature of p2pool_source.tar.xz as well, but you don't have to.
How are you generating sha256sums.txt.asc? I'm trying to set up a system to verify the sources automatically, but it doesn't appear just to be the gpg-signed output of "sha256sum" as it has the hash, filename, and file size on different lines.