[pacman-dev] [PATCH 0/2] Deprecate md5sums, show sha256sums as an example-by-default.

Mike Swanson mikeonthecomputer at gmail.com
Fri Feb 24 20:27:26 UTC 2017

On Fri, 2017-02-24 at 14:52 +0100, Bruno Pagani wrote:
> Debian wrote a nice page about this:
> https://wiki.debian.org/Creating%20signed%20GitHub%20releases

This wiki offers bad advice.  It trusts that GitHub itself is not
compromised and will provide a good download based on the repository

Thankfully, because GitHub normally just uses `git archive` and those
releases are deterministic, it can be solved by using your local
repository alone, for example:

$ git archive --format=tar.gz --prefix=mysoftware-0.4/ mysoftware-0.4 \
  | gpg -a -b -o mysoftware-0.4.tar.gz.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170224/1c04e04e/attachment.asc>

More information about the pacman-dev mailing list