On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote: > Those on the list can check the PGP signature on the announcement mail > and then use the included SHA1 to check the tarball, but doing that as > a non-list member isn't as easy due to many list archives stripping or > mangling PGP signatures. I tried doing this with the 0.11 > announcement from the Mailman and Gmane archives now and wasn't > successful.
It turns out that GMane mangles the list address in the message, so it is possible to validate it but it's not straightforward: curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw | sed -e 's/cgit[^ ]*@email@example.com/' | gpg --verify > Posting a detached PGP signature for the tarball would improve the > ability for users to trust and verify the cgit tarball. It's not a > blocker for your patch, but it would make it significantly more > useful, so I thought I would broach the subject. ;) It seems that Jason currently relies on CGit to generate the tarballs by pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a signature isn't guaranteed to remain correct (Git has subtly changed the tar encoding in the past and could do so again). There's a recent thread on the Git mailing list about a way to handle this better, but there isn't any code yet AFAIK.  http://thread.gmane.org/gmane.comp.version-control.git/264533 _______________________________________________ CGit mailing list CGit@lists.zx2c4.com http://lists.zx2c4.com/mailman/listinfo/cgit