[PATCH] Update release script to generate detached signatures and checksum files
Denys Vlasenko
vda.linux at googlemail.com
Sat Jun 9 19:20:54 UTC 2018
On Tue, Jun 5, 2018 at 6:48 PM, Eli Schwartz <eschwartz at archlinux.org> wrote:
> This is more usable for programmatically checking the validity of a
> release.
> ---
>
> So this is what I'm envisioning. This generates the following files:
>
> busybox-$VERSION.tar.gz
> busybox-$VERSION.tar.gz.sig
> busybox-$VERSION.tar.gz.sha256
>
> And the same for tar.bz2
>
> Users or distro maintainers can download either the .sig file or the
> .sha256 to the same directory as the release archive, and then verify
> the archive by running,
>
> for gpg:
> gpg --verify busybox-$VERSION.tar.gz.sig
>
> for simply checking the checksums:
> sha256sum -c busybox-$VERSION.tar.gz.sha256
>
> I do not anticipate anyone wishing to check both. gpg signatures fulfill
> the role of checksums, because if the signature verification succeeds,
> then they already know the file did not get downloaded in a malformed
> fashion.
Applied, thanks
More information about the busybox
mailing list