To quote id:87ftrpgjdb....@fifthhorseman.net
if the thing verified is the output of sha256sum, then the
*filename* of the tarball itself is included, then the standard
verification step will is sufficient to ensure that you've got the right
version in the filename.
This is in addition to the detached signature on the tarball
---
Makefile.global | 2 +-
Makefile.local | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Makefile.global b/Makefile.global
index 6e17494a..27c82433 100644
--- a/Makefile.global
+++ b/Makefile.global
@@ -43,7 +43,7 @@ RELEASE_URL=https://notmuchmail.org/releases
TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
-SHA256_FILE=$(TAR_FILE).sha256
+SHA256_FILE=$(TAR_FILE).sha256.asc
GPG_FILE=$(TAR_FILE).asc
PV_FILE=bindings/python/notmuch/version.py
diff --git a/Makefile.local b/Makefile.local
index 01ba49cc..79595925 100644
--- a/Makefile.local
+++ b/Makefile.local
@@ -40,7 +40,7 @@ $(TAR_FILE):
@echo "Source is ready for release in $(TAR_FILE)"
$(SHA256_FILE): $(TAR_FILE)
- sha256sum $^ > $@
+ sha256sum $^ | gpg --armour --clear-sign > $@
$(GPG_FILE): $(TAR_FILE)
gpg --armor --detach-sign $^
--
2.20.1
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch
