Re: Problems verifying signed github releases (Re: Q: uscan with GitHub)

To: debian-devel@lists.debian.org
Subject: Re: Problems verifying signed github releases (Re: Q: uscan with GitHub)
From: Stephan Verbücheln <verbuecheln@posteo.de>
Date: Mon, 20 Feb 2023 07:01:14 +0000
Message-id: <[🔎] 9c88fc58604be3f5c1c5312ceb9e26e06fb0e72f.camel@posteo.de>
In-reply-to: <[🔎] 8e7de222-27b0-d896-6b5e-5cf6596c9f64@gmail.com>
References: <[🔎] 8e7de222-27b0-d896-6b5e-5cf6596c9f64@gmail.com>

Note that kernel.org signs the raw tar file and not the compressed
file. This way, they avoid issues like that and also allow conversion
into different compression formats while the signature stays valid.

Downside is that you have to decompress it first and then hash quite a
big file for validation.

Regards

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Re: Problems verifying signed github releases (Re: Q: uscan with GitHub)
  - From: Jens Reyer <jre.winesim@gmail.com>

Prev by Date: Re: Problems verifying signed github releases (Re: Q: uscan with GitHub)
Next by Date: Re: packages.debian.org hasn't been updated for non-free-firmware
Previous by thread: Re: Problems verifying signed github releases (Re: Q: uscan with GitHub)
Next by thread: Bug#1031661: ITP: libkysdk-applications -- kylin SDK based on application level
Index(es):
- Date
- Thread