On Sat, Jun 25, 2016 at 9:56 AM, Hugo Lefeuvre <h...@debian.org> wrote: > > For security reasons, it would be a good idea to provide PGP/GPG signed > release tarballs. Signature checks are automatically done by our packaging > systems and help us to determine whether a new release is trustworthy or > not before packaging it. > > Users should also be able to verify the origin of a new release before > installing it.
May I suggest Openbsd's singify [1]. Its got a simple design that I think fits well with suckless philosphy. [1]: https://github.com/aperezdc/signify ------------------------------------------------------------------------------- Colin J. Mills (cjm) "Don't patch bad code - rewrite it" -- P. J. Plauger