Open xtaran opened 5 years ago
Thanks, we can do this starting with the next release (or even the current release I suppose). What is best practice for naming and hosting the signature? Can you point us to somebody else who does this? (E.g. does GNU do it or something?)
Common suffixes seem to be .asc
for ascii-armoured signatures and IIRC .sig
for binary signatures.
An example from the GNU project is https://ftp.gnu.org/gnu/screen/ where for every .tar.gz
file, there's also a .tar.gz.sig
file.
The relevant GnuPG subcommand is IIRC gpg --detach-sign
.
Just putting the files in the same directory is what I see commonly.
It's good to see that mosh's release announcements are PGP-signed and include strong-enough hashsums of the source tar balls and macOS binary.
Unfortunately this doesn't allow to verify these files automatically. So please provide detached PGP signatures on the files as release artifact, too.
This would e.g. allow Debian to verify the signatures with their
uscan
upstream tar ball download tool, but also would allow anyone to use e.g.gpgv
to verify the downloaded source-code without first having to copy and paste the release notes into a file, verify the PGP-signature, and then check the SHA256 hashsum and compare it manually with the one in the release notes.TIA!