 |
July 06, 2011, 08:25:08 PM |
|
I would like to suggest that the method of signing releases be changed.
Currently, a single file (SHA1SUMS.asc) containing hashes of the release files is clearsigned and posted with all the release files. To verify a release I've downloaded, I need to hash the file I downloaded and compare it to one in the list of hashes.
I propose that your release process is changed so that each release package is gpg detach signed. This approach follows a more standard method of software release and eases validation for users or at least allows for simple automation of the validation process. To validate a download, the user would grab both the release file and the related detached signature and then run something like 'gpg --verify bitcoin-0.3.23-linux.tar.gz.gpg'.
|
