To answer a number of questions about this all at once. No. we don't sign
releases with GnuPG or OpenPGP.
GnuPG alone is a compressed tarball of 4.2 MB of code I have occasionally
had to glance at. I do not have enough
energy in my life to clean up two poorly written crypto code bases. The
world will be better if we only concerntrate
on one.
$ wc -l *.c
29 crypto_api.c
143 mod_ed25519.c
327 mod_ge25519.c
806 signify.c
1305 total
Signify is 1305 *lines* of C code. and it's included in our development
platform. It is not that difficult to install, and
if you can't install it, you could always run OpenBSD in a vm to verify a
signature, it comes with openbsd.
On Mon, Jul 14, 2014 at 11:01 AM, Ralph Giles <[email protected]>
wrote:
> Thanks for providing signed checksums of the releases on
> http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/ !
>
> I respectfully suggest offering OpenPGP signatures, at least as an
> alternative, would be more portable. My systems don't have signify.
>
> —
> Reply to this email directly or view it on GitHub
> <https://github.com/libressl-portable/portable/issues/12>.
>
