21 Jul
2019
21 Jul
'19
3:27 p.m.
On 7/21/19 9:19 AM, brent s. wrote:
i can't speak for why it bothers Eli, but it bothers me because that's exactly what GPG detached sigs are already: signed hash checksums. The signify method is a signed hash checksum of a (list of) hash checksum(s). To me it feels like an unnecessary abstraction when one could just provide .sig files for each file and be more widely compatible.
The problem is a lot bigger, because "widely compatible" includes "being compatible with makepkg's official validation mechanism" and that unnecessary abstraction means it cannot, in fact, be used in makepkg after all. -- Eli Schwartz Bug Wrangler and Trusted User