On Sat, Sep 02, 2017 at 09:58:43AM +0200, Jérémy Lal wrote: > The typical example i have under the hand is: > https://nodejs.org/dist/v6.3.1/ > https://nodejs.org/dist/v6.3.1/SHASUMS256.txt > https://nodejs.org/dist/v6.3.1/SHASUMS256.txt.asc
The subject confused me a bit. This appears to be a list of the hashes of each file, and this list of hashes is signed. That's quite different than the current signature handling, which expects a signature of the archive and verifies the archive against that signature. Cheers, -- James GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
