If in doubt, the packager can always post the sig on this email list with PGP signature :-)-O
el On 2016-12-05 23:47, Scott Kostyshak wrote: > On Mon, Dec 05, 2016 at 09:02:54AM -0800, Rich Shepard wrote: >> On Mon, 5 Dec 2016, Jean-Marc Lasgouttes wrote: >> >>> Yes, there is this one: >>> ftp://ftp.lyx.org/pub/lyx/bin/2.2.2/LyX-222-Bundle-3.exe.sig >> >> JMarc, >> >> Perhaps Windows users will use that to check for modification when they >> download a new version. > > I feel obligated to warn that the .sig file can only be used to verify > that the Windows binary that a user downloads is the same one that the > release manager uploaded. We currently have no way for Windows files to > verify that the binary is the same one that the Windows packager > created. > > For all non-Windows files, the .sig files can be used to verify that the > files that a user downloads are the exact same that the packagers > created. > > Scott >
