[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Verify upstream PGP signed sha256sums file

On 9/1/23 08:10, Ben Westover wrote:

I add PGP verification to my debian/watch files wherever possible so
that if upstream has a signature on their tarball, it can be verified.
I've seen a few projects now that choose to include a clearsigned file
that contains the sha256sums of all their tarballs and binaries instead
of providing signatures for each file separately. Does Debian have any
way to verify the tarball using this signed checksum file without some
sort of custom script needed? Attached is an example of one such file.

Ben Westover


there is an issue opened for that (#1014333), contributions welcome !

Reply to: