Verifying and checksumming new release is somewhat cumbersom
john doe
johndoe65534 at mail.com
Thu Dec 3 07:50:47 CET 2020
On 11/29/2020 12:53 PM, Werner Koch wrote:
> On Sat, 28 Nov 2020 07:57, john doe said:
>
>> If I look at Debian (1) for example, the checksum file is gpg signed.
>> Assuming that I understand correctly, the Debian approach is not a safe
>> way to make the checksums available?propagate?
>
> No, that is a safe way.
>
> Having a separate file with checksums is sometimes better for the
> signing workflow. It also allows to sign/verify a bunch of files with
> just one operation. It also avoids the need to download and upload all
> files to a dedicated signing box. Only since GnuPG 2.2 the latter could
> be handled using gpg-agent's remote feature.
>
Interesting, just to be sure you are refering to the below option from (1)?:
"--extra-socket name"
Is the release workflow documented somewhere so a non-dev could look to
implement this ?
In other words, is it worth considering such a move.
1)
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options
--
John Doe
More information about the Gnupg-users
mailing list