Hi, On Fri, Dec 13, 2019 at 10:55:34AM +0100, Thomas Koch wrote:
> nix-2.3.1.tar.xz.asc - which signs the .sha256 > nix-2.3.1.tar.xz.sha256 - which contains the hash of the tarball > nix-2.3.1.tar.xz I'd grumble about this in the general direction of upstream. The signature is generated over a hash of the input data in any case, so using a hash as the input data does not gain anything, you just lose automatic verification. Simon