[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] Update release script to generate detached signatures and checksum files
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2018-06-09 19:20:54
Message-ID: CAK1hOcPLC2d6mP95mfQm_Y=YijriRAjZ75J5Q9Oz8Vmp=KqJ_A () mail ! gmail ! com
[Download RAW message or body]
On Tue, Jun 5, 2018 at 6:48 PM, Eli Schwartz <eschwartz@archlinux.org> wrote:
> This is more usable for programmatically checking the validity of a
> release.
> ---
>
> So this is what I'm envisioning. This generates the following files:
>
> busybox-$VERSION.tar.gz
> busybox-$VERSION.tar.gz.sig
> busybox-$VERSION.tar.gz.sha256
>
> And the same for tar.bz2
>
> Users or distro maintainers can download either the .sig file or the
> .sha256 to the same directory as the release archive, and then verify
> the archive by running,
>
> for gpg:
> gpg --verify busybox-$VERSION.tar.gz.sig
>
> for simply checking the checksums:
> sha256sum -c busybox-$VERSION.tar.gz.sha256
>
> I do not anticipate anyone wishing to check both. gpg signatures fulfill
> the role of checksums, because if the signature verification succeeds,
> then they already know the file did not get downloaded in a malformed
> fashion.
Applied, thanks
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic