[gnutls-devel] GnuTLS | Discussion: tarball signing practice (#1407)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Wed Nov 2 19:45:02 CET 2022




Daniel Kahn Gillmor commented:


fwiw, i agree with @ametzler here -- you should be able to *add* any number of signatures to the `.sig` of the associated tarball without introducing any problems.  It's not GnuTLS's fault that some OpenPGP verification tooling makes poor decisions about how many signatures should be valid, and you certainly shouldn't change your workflow to accomodate that.  Having a release signed by multiple keys is entirely reasonable.

A fix has been prepared for [debian's tooling](https://salsa.debian.org/debian/devscripts/-/merge_requests/286) so hopefully this won't be an issue for debian for much longer at any rate.

Of course, none of the above should stop you from adding any OpenPGP certificate to the list of parties you think *should* be able to sign a release.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1407#note_1158001997
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20221102/c1537d4e/attachment.html>


More information about the Gnutls-devel mailing list