Bitcoin Forum
December 03, 2016, 04:42:29 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Request: Release/Package Signing  (Read 505 times)
BitcoinCyberStore.com
Newbie
*
Offline Offline

Activity: 10


View Profile WWW
July 06, 2011, 08:25:08 PM
 #1

I would like to suggest that the method of signing releases be changed.

Currently,  a single file (SHA1SUMS.asc) containing hashes of the release files is clearsigned and posted with all the release files. To verify a release I've downloaded, I need to hash the file I downloaded and compare it to one in the list of hashes.

I propose that your release process is changed so that each release package is gpg detach signed. This approach follows a more standard method of software release and eases validation for users or at least allows for simple automation of the validation process. To validate a download, the user would grab both the release file and the related detached signature and then run something like 'gpg --verify bitcoin-0.3.23-linux.tar.gz.gpg'.

PGP: 0xCBF44B9FF2D68ADE
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!