Verifying the Release

[TinF0ilHat1]

I was thinking: what is the purpose of releasing a .asc for each file plus the corresponding hash .sha256.sum? Once i gpg --verify the .asc against the corresponding file there is no point checking if the hash matches the one you wrote. I can already be sure that the file is legit since i already got a Good signature from "Calin Culianu (NilacTheGrim) <calin.culianu@gmail.com>"

I would have expected you to write a manifest.txt with all the hashes and then sign ( attached or not) it.

[cculianu]

I was thinking: what is the purpose of releasing a .asc for each file plus the corresponding hash .sha256.sum?

I don't know. It's what people in the crypto world seem to like, for some reason.

I would have expected you to write a manifest.txt with all the hashes and then sign ( attached or not) it.

How is that any different than what happens now?

[cculianu]

Oh wait -- you're probably sight. The shasum files are useless. I should be signing everything. Will-do next release if I remember.

[TinF0ilHat1]

Oh wait -- you're probably sight. The shasum files are useless. I should be signing everything. Will-do next release if I remember.

If you do not do anything will still be fine - it's a just a waste of time for you though, doing every time a useless step. To give the whole process a meaning: 1) you can sign all the binaries 2) Or write all the hashes on .txt and sign only that .txt. That way would make sense to sha256sum --check filename.txt --ignore-missing

Feel free to close it though.

[cculianu]

Yeah you're 100% right. You ever do something.. not thinking about it.. and then someone points it out to you that what you are doing makes no sense? And then you wonder all along how you never once stopped to think about it and how yes, what you are doing makes no sense.

I feel that way now. 100% I will do this next release.. or maybe even now.

I will do that signle signed single sha256sum file idea actually.. since I like seeing sha hashes as a bitcoiner.

[cculianu]

Ok, I generated a single sha256sum file and signed that. I am including both the bare .txt file and the signed .asc file (which embeds the .txt within itself for redundancy, ha!). I updated the release just now.

Is that ok? Or should I just delete the .txt file and leave only the .asc?

[TinF0ilHat1]

As you pointed the bare .txt is redudant as the .asc include itself the hashes. ( if you keep both files gpg will warn gpg: WARNING: not a detached signature; file 'Fulcrum-1.9.3-sha256sums.txt' was NOT verified!) So for me you can just leave the .txt.asc. The alternative is a detached signature, where the .asc does not include data.

[cculianu]

Yeah good point. I'll nuke the .txt and leave the .asc. I forgot about the gpg warning... true.

[TinF0ilHat1]

Hey, probably a non detached signature could get people confused. Right now sha256sum --check Fulcrum-1.9.3-sha256sums.txt.asc --ignore-missing produces Fulcrum-1.9.3-x86_64-linux.tar.gz: OK sha256sum: WARNING: 10 lines are improperly formatted

To avoid this you should make a detached signature gpg --detach-sign --armor filename.txt it produces a second file filename.txt.asc . That way you can check the integrity of filename.txt against filename.txt.asc and then use filename.txt to check with sha256sum --check if the hash matches