On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote:
Those on the list can check the PGP signature on the announcement mail
and then use the included SHA1 to check the tarball, but doing that as
a non-list member isn't as easy due to many list archives stripping or
mangling PGP
John Keeping wrote:
On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote:
But while we're on the subject, are there PGP signatures available for
the cgit tarballs themselves? I know the git tags are signed, but I
don't think I've seen detached signatures for the tarballs. In this
Oh, hah, my pipermail does the same. That's annoying. I'll change up the
release announcement next time to avoid that.
On Mar 9, 2015 11:32 PM, Jason A. Donenfeld ja...@zx2c4.com wrote:
On Mar 9, 2015 9:49 PM, John Keeping j...@keeping.me.uk wrote:
It turns out that GMane mangles the list
On Mar 8, 2015 12:35 AM, Todd Zullinger t...@pobox.com wrote:
But while we're on the subject, are there PGP signatures available for
the cgit tarballs themselves?
I include a sha256 of the tarball in the announcement emails. Those emails
are pgp signed. My pgp key is embedded in the repo, as
Jason A. Donenfeld wrote:
On Mar 8, 2015 12:35 AM, Todd Zullinger t...@pobox.com wrote:
But while we're on the subject, are there PGP signatures available
for the cgit tarballs themselves?
I include a sha256 of the tarball in the announcement emails. Those
emails are pgp signed. My pgp key
On Sat, Mar 07, 2015 at 06:35:10PM -0500, Todd Zullinger wrote:
John Keeping wrote:
I still think we can't rely on `gpg --recv-keys` though, we would
have to distribute the key with CGit and possible also do something
to avoid importing it into the user's keyring by default.
If the
On Sat, 07 Mar 2015 at 18:02:59, John Keeping wrote:
[...]
I'm not sure what benefit it has if it's optional. Will anyone check?
Maybe we could do something like:
if type sha256sum /dev/null 21
then
sha256sum --check git.sha256sum $(GIT_FILE)
On Sat, Mar 07, 2015 at 06:49:32PM +0100, Lukas Fleischer wrote:
On Sat, 07 Mar 2015 at 18:02:59, John Keeping wrote:
[...]
I'm not sure what benefit it has if it's optional. Will anyone check?
Maybe we could do something like:
if type sha256sum /dev/null 21
then
On Sat, 07 Mar 2015 at 15:46:41, John Keeping wrote:
This requires that we save the downloaded file explicitly rather than
piping it straight to tar, but that is advisable anyway since it allows
us to check the exit status of curl and make sure that we have
downloaded the file successfully.