Re: [be] Verification of release tar balls

[John Marshall]

On 26/09/2010 01:30, Teus Benschop wrote:
> Before starting on this, may I ask if there is going to be anyone who
> will use the GnuPG signatures to verify the accuracy of the tar balls?
> If there is nobody, there is little point in signing the stuff.

The checksums, by themselves, provide a means to verify the integrity of
the downloaded tar ball (is it OK or corrupted).  A PGP signature
provides that PLUS a means of verifying the origin of the published tar
ball.

If PGP signatures are available I always check them.  As Jonathan
pointed out, generating a detached PGP signature file is as easy as:

  gpg -ab bibledit-gtk-4.1.tar.gz

The file it produces is a signed SHA1 checksum of the specified file.
Not all projects produce PGP signatures for their distributions but many
of them do.  If the detached signature passes verification, then I know
that the integrity of the downloaded file is good AND that it originated
from somebody who holds the corresponding private PGP key.

Thank you for producing and publishing the MD5 and SHA1 checksums.  That
provides us with a means of verifying integrity of the download.
If the checksums are quoted in the release announcement email as well,
that provides people with an additional level of confidence in the
authenticity of the distribution files - which is even more important if
there is no PGP signature.

-- 
John Marshall

signature.asc
Description: OpenPGP digital signature