Verifying and checksumming new release is somewhat cumbersom
Werner Koch
wk at gnupg.org
Sun Nov 29 12:53:53 CET 2020
On Sat, 28 Nov 2020 07:57, john doe said:
> If I look at Debian (1) for example, the checksum file is gpg signed.
> Assuming that I understand correctly, the Debian approach is not a safe
> way to make the checksums available?propagate?
No, that is a safe way.
Having a separate file with checksums is sometimes better for the
signing workflow. It also allows to sign/verify a bunch of files with
just one operation. It also avoids the need to download and upload all
files to a dedicated signing box. Only since GnuPG 2.2 the latter could
be handled using gpg-agent's remote feature.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201129/624cdc55/attachment-0001.sig>
More information about the Gnupg-users
mailing list