Hello, The releases are signed in a funny way. The .asc file are not detached signatures of the checksum, but actually contain it inside the .asc file.
# gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc ... gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072 gpg: WARNING: not a detached signature; file 'notmuch-0.28.1.tar.gz.sha256' was NOT verified! A much better way of signing this would have been as a detached signature of the tarball itself. Why sign a hash of a hash? ;) # gpg --detach --sign notmuch-0.28.1.tar.gz -> notmuch-0.28.1.tar.gz.sig Then you can verify this is a properly signed binary, # gpg -v --verify notmuch-0.28.1.tar.gz.sig gpg: assuming signed data in 'notmuch-0.28.1.tar.gz' gpg: Signature made Wed 06 Feb 2019 11:37:19 AM CET gpg: using RSA key 4BE7C1D3CC65813AF349D42F864508B01B2679CF gpg: using subkey 864508B01B2679CF instead of primary key E523F220AC8DFBD0 ... gpg: binary signature, digest algorithm SHA512, key algorithm rsa3904 The digest algorithm is from the key preferences, which you can change. You can also specify it as --digest-algo option, if you prefer. Best regards, - Adam PS. I'm not on the list. Please cc me if you would like any response ;) _______________________________________________ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch