https://bugs.kde.org/show_bug.cgi?id=387047
--- Comment #7 from Ben Cooksley <bcooks...@kde.org> --- The packages you see signed for Applications, Plasma and Frameworks are signed by their respective Release Managers and then uploaded to download.kde.org by them. Sysadmin has no access to the GPG keys used to generate those signatures. In this case you'll need to setup GPG appropriately Gilles, and upload signatures as part of your releases. @RealDolos: Our systems provide SHA256 and SHA1 sums for all files hosted on both download.kde.org and files.kde.org. All you need to do is append .sha1 or .sha256 and our systems will serve the appropriate signature to you, directly, over HTTPS. This should provide a reasonably secure channel to verify the tarballs have not been tampered with by a mirror. -- You are receiving this mail because: You are watching all bug changes.
