Detached tarball signatures vs. clearsigned checksum files

[Matt Johnston]

On Sun, Jun 28, 2015 at 06:02:01PM +0200, Guilhem Moulin wrote:
> I'm currently helping out packaging dropbear for Debian [0].  As
> mentioned on your webpage the drobpear package is currently rather
> outdated (even sid is lagging behind with 2014.65-1), and in order to
> reduce the delays between upstream and package releases I'd like to make
> the import of upstream tarballs easier.
<snip>
> This would make importing further releases much easier :-)  In a
> nutshell this is what I have in mind:
> 
>     ./dropbear-2015.67.tar.bz2
>     ./dropbear-2015.67.tar.bz2.sig  (or .asc for armored files)
>     ./SHA256SUM  (optional)
<snip>
> Also risking nitpicking, you could also modify your gpg(1) digest
> preferences to something stronger than SHA1 [1] :-P  For instance:

Hi Guilhem,

New Debian packages would be great. I've signed
releases/dropbear-2015.67.tar.bz2.sig for the latest
one so far, I'll keep more for future releases.

Making a new pgp key has been on my todo list so there is now
a Dropbear Release Key. (The old key is DSA so seemed to
only make SHA1 signatures)

https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc
pub   4096R/F29C6773 2015-06-29
      Key fingerprint = F734 7EF2 EE2E 07A2 6762  8CA9 4493 1494 F29C 6773
uid                  Dropbear SSH Release Signing <matt at ucc.asn.au>

It's signed by the old key and my new personal key

pub   4096R/C20BBAAC 2015-06-29
      Key fingerprint = 1F1A F0BB EC7C F375 9FFA  1191 F498 3012 C20B BAAC
uid                  Matt Johnston <matt at ucc.asn.au>
sub   4096R/D5581050 2015-06-29

Cheers,
Matt