v. 6.14 - 20211120 checksums don't match

[akwala]

From clamtk_6.14-1_amd64.changes at https://github.com/dave-theunsub/clamtk/releases/tag/v6.14:

586bcc018e7fc6476e4eafbe8cb109eeb7e130602146bf52d0c68ea60e77ed61 229836 clamtk_6.14-1_all.deb

What I get (downloaded twice with same result):

$ sha256sum clamtk_6.14-1_all.deb
513cfb01d09c83dec85dc895aeae0444bec1560a5c4f02fa6bb8914e04c6e9e5  clamtk_6.14-1_all.deb

[dave-theunsub]

That's what I get, too. Let me re-run these.

[dave-theunsub]

I am thinking that's because it is before the digital signature. I sign the file after the build.

[akwala]

I am thinking that's because it is before the digital signature. I sign the file after the build.

Maybe provide the checksum generated after the *.deb is ready for downloading/installing?

[dave-theunsub]

Hi,

Do you mean something other than is already there? The .changes file has the sums prior to signature, while this list has sums for after the signature.

Or maybe it's that I don't link to the Gitlab wiki from the Github download page? (edit: Just in case, I do now)

[akwala]

Hi,

Do you mean something other than is already there? The .changes file has the sums prior to signature, while this list has sums for after the signature.

Or maybe it's that I don't link to the Gitlab wiki from the Github download page? (edit: Just in case, I do now)

Ah, I see.

Checksums provided with releases are usually those that can be checked against the respective downloaded files – i.e., the ones on your GitLab wiki page which, BTW, is very helpful. Verifying the *.changes file requires some knowledge of related details of DEB files – this led me to look this up so I'm not complaining. I'd include a file with the post-signature checksums on the release page.