Bitcoin Forum
October 21, 2016, 01:10:16 PM *
News: Latest stable version of Bitcoin Core: 0.13.0  [Torrent].
   Home   Help Search Donate Login Register  
Pages: [1]
Author Topic: Request: Release/Package Signing  (Read 502 times)
Offline Offline

Activity: 10

View Profile WWW
July 06, 2011, 08:25:08 PM

I would like to suggest that the method of signing releases be changed.

Currently,  a single file (SHA1SUMS.asc) containing hashes of the release files is clearsigned and posted with all the release files. To verify a release I've downloaded, I need to hash the file I downloaded and compare it to one in the list of hashes.

I propose that your release process is changed so that each release package is gpg detach signed. This approach follows a more standard method of software release and eases validation for users or at least allows for simple automation of the validation process. To validate a download, the user would grab both the release file and the related detached signature and then run something like 'gpg --verify bitcoin-0.3.23-linux.tar.gz.gpg'.

Pages: [1]
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!