Hi Matt, I'm currently helping out packaging dropbear for Debian [0]. As mentioned on your webpage the drobpear package is currently rather outdated (even sid is lagging behind with 2014.65-1), and in order to reduce the delays between upstream and package releases I'd like to make the import of upstream tarballs easier.
Along with the most recent tarballs, one finds a clearsigned SHA256SUM.asc file in https://matt.ucc.asn.au/dropbear/ . Since sha256sum(1) chokes on the OpenPGP header, in order to verify the integrity of the package one needs to 1/ run `gpg --verify`, 2/ remove the OpenPGP header & footer, and 3/ run `sha256sum -c`. I wonder if you could provide a detached signature of the tarball instead of clearsigning the checksum file. While Debian's uscan(1) is currently not able to deal with checksum files, it can import detached signatures along with tarballs and check the signature validity. (Furthermore it doesn't rely on the WoT since the signer's key is available in the repository under ‘debian/upstream/signing-key.asc’.) This would make importing further releases much easier :-) In a nutshell this is what I have in mind: ./dropbear-2015.67.tar.bz2 ./dropbear-2015.67.tar.bz2.sig (or .asc for armored files) ./SHA256SUM (optional) Also risking nitpicking, you could also modify your gpg(1) digest preferences to something stronger than SHA1 [1] :-P For instance: echo 'personal-digest-preferences SHA512' >> ~/.gnupg/gpg.conf Thanks! Cheers, -- Guilhem. [0] https://lists.debian.org/debian-devel/2015/06/msg00285.html [1] https://www.debian-administration.org/users/dkg/weblog/48
signature.asc
Description: Digital signature