Detached tarball signatures vs. clearsigned checksum files
Matt Johnston
matt at ucc.asn.au
Mon Jun 29 21:27:23 AWST 2015
On Sun, Jun 28, 2015 at 06:02:01PM +0200, Guilhem Moulin wrote:
> I'm currently helping out packaging dropbear for Debian [0]. As
> mentioned on your webpage the drobpear package is currently rather
> outdated (even sid is lagging behind with 2014.65-1), and in order to
> reduce the delays between upstream and package releases I'd like to make
> the import of upstream tarballs easier.
<snip>
> This would make importing further releases much easier :-) In a
> nutshell this is what I have in mind:
>
> ./dropbear-2015.67.tar.bz2
> ./dropbear-2015.67.tar.bz2.sig (or .asc for armored files)
> ./SHA256SUM (optional)
<snip>
> Also risking nitpicking, you could also modify your gpg(1) digest
> preferences to something stronger than SHA1 [1] :-P For instance:
Hi Guilhem,
New Debian packages would be great. I've signed
releases/dropbear-2015.67.tar.bz2.sig for the latest
one so far, I'll keep more for future releases.
Making a new pgp key has been on my todo list so there is now
a Dropbear Release Key. (The old key is DSA so seemed to
only make SHA1 signatures)
https://matt.ucc.asn.au/dropbear/releases/dropbear-key-2015.asc
pub 4096R/F29C6773 2015-06-29
Key fingerprint = F734 7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773
uid Dropbear SSH Release Signing <matt at ucc.asn.au>
It's signed by the old key and my new personal key
pub 4096R/C20BBAAC 2015-06-29
Key fingerprint = 1F1A F0BB EC7C F375 9FFA 1191 F498 3012 C20B BAAC
uid Matt Johnston <matt at ucc.asn.au>
sub 4096R/D5581050 2015-06-29
Cheers,
Matt
More information about the Dropbear
mailing list