bertptrs
commented
5 years ago Scratch all of this, this was a configuration issue on my side. Please disregard this issue.
Closed bertptrs closed 5 years ago
bertptrs
commented
5 years ago Scratch all of this, this was a configuration issue on my side. Please disregard this issue.
The most recent build (20181204) finally includes GPG signatures, which is wonderful news for me as a downstream packager. However, the actual signature is invalid.
Moreover, the published sha1 for the archive is invalid. This suggests that the zip has been replaced, either by you or someone else. The listed signature is
8afb99be3479e9057eb9df9772b2fa006ca44879, its actual signature isec80073c8b9518e98a3c00ef26a74fc5278ab6f9.Could you please include a note in the documentation about the exact situation with the signatures? That would clarify to users how they can actually verify the sources.