Philip Martin wrote on Tue, May 15, 2012 at 17:08:20 +0100: > Is this something we need to make explicit? Perhaps the release manager > should be signing something else? The checksums perhaps? Would that be > strong enough?
The RM could sign the rot13 of the zip files, that'd be more secure than signing the checksums. But I'm not convinced that we need to introduce this complication.
