From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david@tethera.net>
Received: from localhost (localhost [127.0.0.1])
 by arlo.cworth.org (Postfix) with ESMTP id 1E76E6DE1055
 for <notmuch@notmuchmail.org>; Sun, 10 Feb 2019 05:51:06 -0800 (PST)
X-Virus-Scanned: Debian amavisd-new at cworth.org
X-Spam-Flag: NO
X-Spam-Score: -0.006
X-Spam-Level: 
X-Spam-Status: No, score=-0.006 tagged_above=-999 required=5
 tests=[AWL=-0.005, SPF_PASS=-0.001] autolearn=disabled
Received: from arlo.cworth.org ([127.0.0.1])
 by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id J4Il9LeS5Ti6 for <notmuch@notmuchmail.org>;
 Sun, 10 Feb 2019 05:51:05 -0800 (PST)
Received: from fethera.tethera.net (fethera.tethera.net [198.245.60.197])
 by arlo.cworth.org (Postfix) with ESMTPS id 31D3A6DE00EA
 for <notmuch@notmuchmail.org>; Sun, 10 Feb 2019 05:51:05 -0800 (PST)
Received: from remotemail by fethera.tethera.net with local (Exim 4.89)
 (envelope-from <david@tethera.net>)
 id 1gspVe-0006vE-NF; Sun, 10 Feb 2019 08:51:02 -0500
Received: (nullmailer pid 28463 invoked by uid 1000);
 Sun, 10 Feb 2019 13:51:01 -0000
From: David Bremner <david@tethera.net>
To: Adam Majer <amajer@suse.de>, notmuch@notmuchmail.org
Subject: Re: Release signatures
In-Reply-To: <b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de>
References: <b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de>
X-List-To: notmuch
Date: Sun, 10 Feb 2019 09:51:01 -0400
Message-ID: <87a7j33g6y.fsf@tethera.net>
MIME-Version: 1.0
Content-Type: text/plain
X-BeenThere: notmuch@notmuchmail.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Use and development of the notmuch mail system."
 <notmuch.notmuchmail.org>
List-Unsubscribe: <https://notmuchmail.org/mailman/options/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=unsubscribe>
List-Archive: <http://notmuchmail.org/pipermail/notmuch/>
List-Post: <mailto:notmuch@notmuchmail.org>
List-Help: <mailto:notmuch-request@notmuchmail.org?subject=help>
List-Subscribe: <https://notmuchmail.org/mailman/listinfo/notmuch>,
 <mailto:notmuch-request@notmuchmail.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Feb 2019 13:51:06 -0000

Adam Majer <amajer@suse.de> writes:

> Hello,
>
> The releases are signed in a funny way. The .asc file are not detached
> signatures of the checksum, but actually contain it inside the .asc file.
>
> # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc
> ...
> gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072
> gpg: WARNING: not a detached signature; file
> 'notmuch-0.28.1.tar.gz.sha256' was NOT verified!
>
> A much better way of signing this would have been as a detached
> signature of the tarball itself. Why sign a hash of a hash? ;)

I'm not sure why Carl did it that way 10 years ago. Perhaps Carl
remembers?  Offhand, I don't see any reason not to go with a more
standard detached signature, other than it needs someone to do the
relevant work.

d