Was gnupg-2.1.16.tar.bz2.sig updated?

Werner Koch wk at gnupg.org
Sat Dec 3 21:23:54 CET 2016


On Sat,  3 Dec 2016 17:00, bogorodskiy at gmail.com said:

> It looks like gnupg-2.1.16.tar.bz2.sig was updated after releasing of
> gnupg 2.1.16.

Sure.  We do this very often as soon as a co-developer has verified the
released package.  We consider it better to have more than one
signature.

> Also, the new sig is reported as expired.

Gniibe has prolonged the expiration time of his key and thus with a
fresh copy of the key it won't claim that it is expired.  Refreshing the
keys on a regular base is anyway a good idea to get notice of
revocations.

> The reason I'm asking is that both release tarball and the sig are used
> by the FreeBSD port [1], and when a checksum changes for any of the

Well, the signature file is the checksum of tarball and as such the
signature file should be used as is and not be used as a trigger for
updates.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: </pipermail/attachments/20161203/91a0d4c0/attachment.sig>


More information about the Gnupg-devel mailing list