bibledit-general
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [be] Verification of release tar balls

From: Jonathan Marsden
Subject: Re: [be] Verification of release tar balls
Date: Fri, 24 Sep 2010 11:51:47 -0700
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 
Teus,

On 9/24/2010 11:03 AM, Teus Benschop wrote:

> The build computer is different from the web server. The scripts
> given by Jonathan were excellent. They made it easy to at once grasp
> the idea for making the sums. If there are similar scripts for doing
> the signing with GnuPG, that would help greatly. Teus.

Assuming you have already set up gpg itself, generated a keypair, and
published the public key to the keyservers, then

  gpg -ab bibledit-gtk-4.1.tar.gz

(and providing your gpg passphrase when prompted for it) will create a
detached signature file bibledit-gtk-4.1.tar.gz.asc

Users can later verify this by downloading the pair of .gz and .gz.asc
files, importing the relevant public key from the keyservers, and then
running

  gpg --verify bibledit-gtk-4.1.tar.gz.asc bibledit-gtk-4.1.tar.gz

My opinion is that far fewer users understand this approach than
understand the way to check MD5SUMs, and it is less easily automatable
(because you have to import the specific public key involved) so while
the level of verification is definitely higher, the chance that someone
will actually take the time to verify a file this way is lower.  It's
good practice to provide both, of course :)

Jonathan
reply via email to
[Prev in Thread] Current Thread [Next in Thread]