Closed TinF0ilHat1 closed 8 months ago
I was thinking: what is the purpose of releasing a .asc for each file plus the corresponding hash .sha256.sum?
I don't know. It's what people in the crypto world seem to like, for some reason.
I would have expected you to write a manifest.txt with all the hashes and then sign ( attached or not) it.
How is that any different than what happens now?
Oh wait -- you're probably sight. The shasum files are useless. I should be signing everything. Will-do next release if I remember.
Oh wait -- you're probably sight. The shasum files are useless. I should be signing everything. Will-do next release if I remember.
If you do not do anything will still be fine - it's a just a waste of time for you though, doing every time a useless step.
To give the whole process a meaning:
1) you can sign all the binaries
2) Or write all the hashes on .txt and sign only that .txt. That way would make sense to sha256sum --check filename.txt --ignore-missing
Feel free to close it though.
Yeah you're 100% right. You ever do something.. not thinking about it.. and then someone points it out to you that what you are doing makes no sense? And then you wonder all along how you never once stopped to think about it and how yes, what you are doing makes no sense.
I feel that way now. 100% I will do this next release.. or maybe even now.
I will do that signle signed single sha256sum file idea actually.. since I like seeing sha hashes as a bitcoiner.
Ok, I generated a single sha256sum file and signed that. I am including both the bare .txt file and the signed .asc file (which embeds the .txt within itself for redundancy, ha!). I updated the release just now.
Is that ok? Or should I just delete the .txt file and leave only the .asc?
As you pointed the bare .txt
is redudant as the .asc
include itself the hashes. ( if you keep both files gpg will warn gpg: WARNING: not a detached signature; file 'Fulcrum-1.9.3-sha256sums.txt' was NOT verified!
) So for me you can just leave the .txt.asc
. The alternative is a detached signature, where the .asc
does not include data.
Yeah good point. I'll nuke the .txt and leave the .asc. I forgot about the gpg warning... true.
Hey, probably a non detached signature could get people confused. Right now sha256sum --check Fulcrum-1.9.3-sha256sums.txt.asc --ignore-missing
produces Fulcrum-1.9.3-x86_64-linux.tar.gz: OK sha256sum: WARNING: 10 lines are improperly formatted
To avoid this you should make a detached signature gpg --detach-sign --armor filename.txt
it produces a second file filename.txt.asc
. That way you can check the integrity of filename.txt
against filename.txt.asc
and then use filename.txt
to check
with sha256sum --check
if the hash matches
I was thinking: what is the purpose of releasing a
.asc
for each file plus the corresponding hash.sha256.sum
? Once igpg --verify
the.asc
against the corresponding file there is no point checking if the hash matches the one you wrote. I can already be sure that the file is legit since i already got aGood signature from "Calin Culianu (NilacTheGrim) <calin.culianu@gmail.com>"
I would have expected you to write a manifest.txt with all the hashes and then sign ( attached or not) it.