Verify upstream PGP signed sha256sums file

To: debian-devel@lists.debian.org
Subject: Verify upstream PGP signed sha256sums file
From: Ben Westover <me@benthetechguy.net>
Date: Fri, 01 Sep 2023 04:10:19 +0000
Message-id: <[🔎] 649f7e4b-d5ce-4f55-88fa-aff63240cbc4@benthetechguy.net>

Hello,

I add PGP verification to my debian/watch files wherever possible so
that if upstream has a signature on their tarball, it can be verified.
I've seen a few projects now that choose to include a clearsigned file
that contains the sha256sums of all their tarballs and binaries instead
of providing signatures for each file separately. Does Debian have any
way to verify the tarball using this signed checksum file without some
sort of custom script needed? Attached is an example of one such file.

--
Ben Westover

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Name: p2pool-v3.6-freebsd-x64.tar.gz
Size: 797854 bytes (779 KiB)
SHA256: 872623a4df19e9fe5a6d710c7b8706d3804b29d24a7b6857e98617569ff2ab51

Name: p2pool-v3.6-linux-aarch64.tar.gz
Size: 1073032 bytes (1047 KiB)
SHA256: f4f009058b50a4a6ea42e941542d33e6cedb9d5d8102862df6282a5e30078d49

Name: p2pool-v3.6-linux-x64.tar.gz
Size: 1104203 bytes (1078 KiB)
SHA256: ef11e7f28ea6b529d4e35b3e844484c5160d9d4dfe99fae32b6df8229a859cb4

Name: p2pool-v3.6-macos-aarch64.tar.gz
Size: 729764 bytes (712 KiB)
SHA256: a8cdc3670f8c078451f305907d2e05894a23821d6f09bf370676d86b20b6479f

Name: p2pool-v3.6-macos-x64.tar.gz
Size: 768937 bytes (750 KiB)
SHA256: bfe999ec706c89c8c050d52e6af7a89b32fff5233bc3526c8801f40396ae92d6

Name: p2pool-v3.6-windows-x64.zip
Size: 966831 bytes (944 KiB)
SHA256: 2ba27f5796e27b6ca77652b972848585e11e415fa4f0369008ba53fbf810170c

Name: p2pool_source.tar.xz
Size: 52889504 bytes (50 MiB)
SHA256: 52f9e99761b5f005448fc382c983161b9b0f5f2e0310a7dcaefad1eaf93e6398
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEH8qrTT3DMQ0Wy9UIxH+CtU2oet8FAmTwYukACgkQxH+CtU2o
et8VjA//T1ni/dppy59Brk5hv/OSeonUiiA7djxwpS8BNaQ6ygiZgJCe2PyZVaiJ
XfSLGuE7u+tX/LsmDxHK31Z1cmUM937owM8w4nKrdMQsa1uzgYXUH9AFTipckApf
TCE7ITyul1kYdNdhKHnROSex10YGoN/YyVsAlzZ9foIa7d9EPTxZDtRJwl3i/cbh
Zws3Hd9/AZqFkVCeaf/LsjrHQXrFMPUATYvzLe5XcmxWvIIWVzb4GY600WB4f+q3
r/cSmq8cLlvwMp3HIPwoZCcaTB/V/IiBncSNUUNC62r1F+wHzCQtA3eRJfX7lW2J
pJ86d7lDKg8AtMJlDi+v9MpH1496z7Vt9q4ccgJrKHt6pAs3enOpP75CV9OGJdQr
xo/AX4Cnx1tTX1nQSmTc5fEAOWZjCAd7obvO8du+HBS/x8KzHlN0QKSE5EzR0Omk
AM/0Q+DjC6Y3ueC+geLPy7T/mJSyvvZcqovhvFZmd5zTS6WmaKww4jirkC0bOeaN
FYEqr1/OJEx9ZAmFGS099ed/IFDdDaobKaAgYps5Vz5YxC6wg+59xp6R69NT/I6i
DzgNFNvRwE0A1KnLG2v7Kn5l12cTydvmRZCfvsV6e7WwUsZiclowLiLeAZ/hwv6L
uGX/JzAwTGyyPLCrqimoVp81YaCDbvun9bXoKF4iDK461LZHM34=
=HPT4
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Verify upstream PGP signed sha256sums file
  - From: Yadd <yadd@debian.org>

Prev by Date: Work-needing packages report for Sep 1, 2023
Next by Date: Re: Verify upstream PGP signed sha256sums file
Previous by thread: Work-needing packages report for Sep 1, 2023
Next by thread: Re: Verify upstream PGP signed sha256sums file
Index(es):
- Date
- Thread