Bitcoin Forum
April 04, 2020, 04:10:44 PM *
News: Latest Bitcoin Core release: 0.19.1 [Torrent]
   Home   Help Search Login Register More  
Pages: [1]
Author Topic: Request: Release/Package Signing  (Read 604 times)
Offline Offline

Activity: 10
Merit: 0

View Profile WWW
July 06, 2011, 08:25:08 PM

I would like to suggest that the method of signing releases be changed.

Currently,  a single file (SHA1SUMS.asc) containing hashes of the release files is clearsigned and posted with all the release files. To verify a release I've downloaded, I need to hash the file I downloaded and compare it to one in the list of hashes.

I propose that your release process is changed so that each release package is gpg detach signed. This approach follows a more standard method of software release and eases validation for users or at least allows for simple automation of the validation process. To validate a download, the user would grab both the release file and the related detached signature and then run something like 'gpg --verify bitcoin-0.3.23-linux.tar.gz.gpg'.
Pages: [1]
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!