From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from localhost (localhost [127.0.0.1]) by arlo.cworth.org (Postfix) with ESMTP id 0476C6DE0F1C for ; Mon, 11 Feb 2019 15:37:55 -0800 (PST) X-Virus-Scanned: Debian amavisd-new at cworth.org X-Spam-Flag: NO X-Spam-Score: -9 X-Spam-Level: X-Spam-Status: No, score=-9 tagged_above=-999 required=5 tests=[AM.WBL=-8, ALL_TRUSTED=-1, AWL=0.000] autolearn=disabled Received: from arlo.cworth.org ([127.0.0.1]) by localhost (arlo.cworth.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a7yvl7vo_DHI; Mon, 11 Feb 2019 15:37:54 -0800 (PST) Received: from wondoo.home.cworth.org (unknown [10.0.0.11]) (Authenticated sender: cworth) by arlo.cworth.org (Postfix) with ESMTPSA id 2A5076DE0F19; Mon, 11 Feb 2019 15:37:54 -0800 (PST) Received: from wondoo (localhost [IPv6:::1]) by wondoo.home.cworth.org (Postfix) with ESMTPS id 0AFC21FE06AF; Mon, 11 Feb 2019 18:37:54 -0500 (EST) To: David Bremner , Adam Majer , notmuch@notmuchmail.org Subject: Re: Release signatures In-Reply-To: <87a7j33g6y.fsf@tethera.net> References: <87a7j33g6y.fsf@tethera.net> Sender: cworth@cworth.org From: Carl Worth Date: Mon, 11 Feb 2019 15:37:53 -0800 Message-ID: <87mun16gmm.fsf@wondoo.home.cworth.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: notmuch@notmuchmail.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Feb 2019 23:37:55 -0000 --=-=-= Content-Type: text/plain On Sun, Feb 10 2019, David Bremner wrote: > Adam Majer writes: >> The releases are signed in a funny way. The .asc file are not detached >> signatures of the checksum, but actually contain it inside the .asc file. >> >> # gpg -v --verify notmuch-0.28.1.tar.gz.sha256.asc >> ... >> gpg: binary signature, digest algorithm SHA256, key algorithm rsa3072 >> gpg: WARNING: not a detached signature; file >> 'notmuch-0.28.1.tar.gz.sha256' was NOT verified! >> >> A much better way of signing this would have been as a detached >> signature of the tarball itself. Why sign a hash of a hash? ;) > > I'm not sure why Carl did it that way 10 years ago. Perhaps Carl > remembers? Offhand, I don't see any reason not to go with a more > standard detached signature, other than it needs someone to do the > relevant work. If I did something non-standard here it certainly wasn't intentional. I certainly would not oppose moving to a more standard (and obvious to us) means of signing the releases. -Carl --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzvjdyAGcpm1OMJTzYAIzup5U3GEFAlxiB1EACgkQYAIzup5U 3GFgthAAutwhakiJsP8QVFQsBlmc4WoRxRl7sSclDLp3SrXW9p/jEbRNVmaKSOkj kCzvDcXcGp7rufDGHjcE1FLkXIQsHP2x7WzJYS3ne8C94BRTBBvqoeTt7qYcEbdH LHev7MilLdoy3Vez7qjGZLBrl0vozH4RsbKLTjlH0PjT46k9ytI0iouO8oyuBk9g liAZGawNytBgAMrOIZj1jd/KtnMdfZkDNL8Lwtrw8mrDGrOkRE8eJAheM32nf5Us noULeaJQzc3cYSJ2738v9jdGiHaGg9v5kHrNIWFAs2KYjzZcOkixXT4psjyQXImP n7vwow7stZsL1W1J/g6Wys1Y+CYkC4eoHmT/nTs6R8ngl0WEgecuy6bnTfYw6hOL ze0aUl0+mF1WzyGPrrhqhd8dykTR8WUHL5doaxXZRjdd/DFNJSSyKF1ijWd8t3dx zmMKn/t79bW4VSFolzJWCCaNhqj9vyGFSl1+mZgQNMg8691w5lh9bYjd6PcgdU8N IVeP2pc3e6pZcsiNvo6qNqNYz8x23SI9esI30QvW4zeNxnVOwz/XCuymfNE2gGqP Z4TJZu2SwXY8XHup7FVefN7txV0oagMqii0I1/8ZuqWAsBrGUUazUie3hpvwbgok 5zIsgaXBSDIi5sNijfPBurc8eGmF0X+43b6WjI4KMbvA/VjbxA4= =tMnB -----END PGP SIGNATURE----- --=-=-=--