Create a sha256 file for use with the sha256sum tool to verify the integrity of artifacts created by the CI jobs. Make these files available in both the Jenkins UI alongside the the tarballs, and also upload them over SSH (where applicable).
In future work, I'd like to make the -CHECKSUM file clear-signed. It appears that the sha256sum program can ignore the GPG signature information, so there is no need to ship a detached signature.
For now, we can add the -CHECKSUM file as-is, and we won't need to change the mechanism to consume it when the signing work lands.
Test build on Jenkins to verify that Jenkins processes the new file correctly:
Create a sha256 file for use with the sha256sum tool to verify the integrity of artifacts created by the CI jobs. Make these files available in both the Jenkins UI alongside the the tarballs, and also upload them over SSH (where applicable).
In future work, I'd like to make the
-CHECKSUMfile clear-signed. It appears that thesha256sumprogram can ignore the GPG signature information, so there is no need to ship a detached signature.For now, we can add the
-CHECKSUMfile as-is, and we won't need to change the mechanism to consume it when the signing work lands.Test build on Jenkins to verify that Jenkins processes the new file correctly: