Detached tarball signatures vs. clearsigned checksum files

Guilhem Moulin guilhem at
Mon Jun 29 00:02:01 AWST 2015

Hi Matt,

I'm currently helping out packaging dropbear for Debian [0].  As
mentioned on your webpage the drobpear package is currently rather
outdated (even sid is lagging behind with 2014.65-1), and in order to
reduce the delays between upstream and package releases I'd like to make
the import of upstream tarballs easier.

Along with the most recent tarballs, one finds a clearsigned
SHA256SUM.asc file in .  Since
sha256sum(1) chokes on the OpenPGP header, in order to verify the
integrity of the package one needs to 1/ run `gpg --verify`, 2/ remove
the OpenPGP header & footer, and 3/ run `sha256sum -c`.

I wonder if you could provide a detached signature of the tarball
instead of clearsigning the checksum file.  While Debian's uscan(1) is
currently not able to deal with checksum files, it can import detached
signatures along with tarballs and check the signature validity.
(Furthermore it doesn't rely on the WoT since the signer's key is
available in the repository under ‘debian/upstream/signing-key.asc’.)

This would make importing further releases much easier :-)  In a
nutshell this is what I have in mind:

    ./dropbear-2015.67.tar.bz2.sig  (or .asc for armored files)
    ./SHA256SUM  (optional)

Also risking nitpicking, you could also modify your gpg(1) digest
preferences to something stronger than SHA1 [1] :-P  For instance:

    echo 'personal-digest-preferences SHA512' >> ~/.gnupg/gpg.conf


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
Url : 

More information about the Dropbear mailing list