-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sign release tarballs directly, not their hash files #3293
Comments
It seems to work as expected for me:
|
Indeed, the signature is over the tarball, not the hash. You can see the signature generation here: nix/maintainers/upload-release.pl Lines 60 to 81 in b0cadf5
You can ignore the |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
related issues:
#404 Add an OpenPGP signature for every tarball on nixos.org ( @domenkozar )
#17 Sign released Nix tarballs
Nix releases come with a .sha256 hash file and a .asc signature file over the hash file. This seems strange as gpg could directly make a signature over the original file. The latter is expected by Debian packaging tools. It is still possible to package nix for Debian, but verification of the upstream tarball must be done manually with the current release scheme.
Would you mind to provide a signature (.asc file) over the tarball itself instead of the hash file?
This has previously been discussed here:
https://lists.debian.org/debian-devel/2019/12/msg00081.html
The text was updated successfully, but these errors were encountered: