Please provide detached PGP signatures for source tar balls (and binary images)

[xtaran]

It's good to see that mosh's release announcements are PGP-signed and include strong-enough hashsums of the source tar balls and macOS binary.

Unfortunately this doesn't allow to verify these files automatically. So please provide detached PGP signatures on the files as release artifact, too.

This would e.g. allow Debian to verify the signatures with their uscan upstream tar ball download tool, but also would allow anyone to use e.g. gpgv to verify the downloaded source-code without first having to copy and paste the release notes into a file, verify the PGP-signature, and then check the SHA256 hashsum and compare it manually with the one in the release notes.

TIA!

[keithw]

Thanks, we can do this starting with the next release (or even the current release I suppose). What is best practice for naming and hosting the signature? Can you point us to somebody else who does this? (E.g. does GNU do it or something?)

[xtaran]

Common suffixes seem to be .asc for ascii-armoured signatures and IIRC .sig for binary signatures.

An example from the GNU project is https://ftp.gnu.org/gnu/screen/ where for every .tar.gz file, there's also a .tar.gz.sig file.

The relevant GnuPG subcommand is IIRC gpg --detach-sign.

Just putting the files in the same directory is what I see commonly.