Re: Release signatures
On Sun, Feb 10 2019, David Bremner wrote: > Adam Majer writes: >> The releases are signed in a funny way. The .asc file are not detached >> signatures of the checksum, but actually contain it inside the .asc file. >> >> # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc >> ... >> gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072 >> gpg: WARNING: not a detached signature; file >> 'notmuch-0.28.1.tar.gz.sha256' was NOT verified! >> >> A much better way of signing this would have been as a detached >> signature of the tarball itself. Why sign a hash of a hash? ;) > > I'm not sure why Carl did it that way 10 years ago. Perhaps Carl > remembers? Offhand, I don't see any reason not to go with a more > standard detached signature, other than it needs someone to do the > relevant work. If I did something non-standard here it certainly wasn't intentional. I certainly would not oppose moving to a more standard (and obvious to us) means of signing the releases. -Carl signature.asc Description: PGP signature ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Re: Release signatures
Adam Majer writes: > Hello, > > The releases are signed in a funny way. The .asc file are not detached > signatures of the checksum, but actually contain it inside the .asc file. > > # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc > ... > gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072 > gpg: WARNING: not a detached signature; file > 'notmuch-0.28.1.tar.gz.sha256' was NOT verified! > > A much better way of signing this would have been as a detached > signature of the tarball itself. Why sign a hash of a hash? ;) I'm not sure why Carl did it that way 10 years ago. Perhaps Carl remembers? Offhand, I don't see any reason not to go with a more standard detached signature, other than it needs someone to do the relevant work. d ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch
Release signatures
Hello, The releases are signed in a funny way. The .asc file are not detached signatures of the checksum, but actually contain it inside the .asc file. # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc ... gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072 gpg: WARNING: not a detached signature; file 'notmuch-0.28.1.tar.gz.sha256' was NOT verified! A much better way of signing this would have been as a detached signature of the tarball itself. Why sign a hash of a hash? ;) # gpg --detach --sign notmuch-0.28.1.tar.gz -> notmuch-0.28.1.tar.gz.sig Then you can verify this is a properly signed binary, # gpg -v --verify notmuch-0.28.1.tar.gz.sig gpg: assuming signed data in 'notmuch-0.28.1.tar.gz' gpg: Signature made Wed 06 Feb 2019 11:37:19 AM CET gpg:using RSA key 4BE7C1D3CC65813AF349D42F864508B01B2679CF gpg: using subkey 864508B01B2679CF instead of primary key E523F220AC8DFBD0 ... gpg: binary signature, digest algorithm SHA512, key algorithm rsa3904 The digest algorithm is from the key preferences, which you can change. You can also specify it as --digest-algo option, if you prefer. Best regards, - Adam PS. I'm not on the list. Please cc me if you would like any response ;) ___ notmuch mailing list notmuch@notmuchmail.org https://notmuchmail.org/mailman/listinfo/notmuch