Author

Topic: Request: Release/Package Signing (Read 705 times)

newbie
Activity: 10
Merit: 0
July 06, 2011, 03:25:08 PM
#1
I would like to suggest that the method of signing releases be changed.

Currently,  a single file (SHA1SUMS.asc) containing hashes of the release files is clearsigned and posted with all the release files. To verify a release I've downloaded, I need to hash the file I downloaded and compare it to one in the list of hashes.

I propose that your release process is changed so that each release package is gpg detach signed. This approach follows a more standard method of software release and eases validation for users or at least allows for simple automation of the validation process. To validate a download, the user would grab both the release file and the related detached signature and then run something like 'gpg --verify bitcoin-0.3.23-linux.tar.gz.gpg'.
Jump to: