Hi Phil,
> > > > You either need to make and host your own, or download from the > > github mirror ( https://github.com/osmocom/gr-iqbal/releases ) > > Standard warning, github is known to regenerate tarballs with > different contents that lead to sha has mismatches with time making > it hard to validate the downloaded tarball. Don't depend on githb > downloaded tarballs if you care about supply chain integrity. This is a bit imprecise: The contents of the tarball are not different, but rather are timestamps might differ for _automatic_ generated tarballs. This is due to GitHub sometimes regenerating tarballs on the fly. If a release tarball is created manually and uploaded as asset for a release tag there is no problem. Cheers A
pgpSnPIESw7zZ.pgp
Description: OpenPGP digital signature
