On 11/29/2020 12:53 PM, Werner Koch wrote:
On Sat, 28 Nov 2020 07:57, john doe said:
If I look at Debian (1) for example, the checksum file is gpg signed.
Assuming that I understand correctly, the Debian approach is not a safe
way to make the checksums available?propagate?
No, that is a safe way.
Having a separate file with checksums is sometimes better for the
signing workflow. It also allows to sign/verify a bunch of files with
just one operation. It also avoids the need to download and upload all
files to a dedicated signing box. Only since GnuPG 2.2 the latter could
be handled using gpg-agent's remote feature.
Interesting, just to be sure you are refering to the below option from (1)?:
"--extra-socket name"
Is the release workflow documented somewhere so a non-dev could look to
implement this ?
In other words, is it worth considering such a move.
1)
https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html#Agent-Options
--
John Doe
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users