Detached tarball signatures vs. clearsigned checksum files

Matt Johnston matt at
Mon Jun 29 21:27:23 AWST 2015

On Sun, Jun 28, 2015 at 06:02:01PM +0200, Guilhem Moulin wrote:
> I'm currently helping out packaging dropbear for Debian [0].  As
> mentioned on your webpage the drobpear package is currently rather
> outdated (even sid is lagging behind with 2014.65-1), and in order to
> reduce the delays between upstream and package releases I'd like to make
> the import of upstream tarballs easier.
> This would make importing further releases much easier :-)  In a
> nutshell this is what I have in mind:
>     ./dropbear-2015.67.tar.bz2
>     ./dropbear-2015.67.tar.bz2.sig  (or .asc for armored files)
>     ./SHA256SUM  (optional)
> Also risking nitpicking, you could also modify your gpg(1) digest
> preferences to something stronger than SHA1 [1] :-P  For instance:

Hi Guilhem,

New Debian packages would be great. I've signed
releases/dropbear-2015.67.tar.bz2.sig for the latest
one so far, I'll keep more for future releases.

Making a new pgp key has been on my todo list so there is now
a Dropbear Release Key. (The old key is DSA so seemed to
only make SHA1 signatures)
pub   4096R/F29C6773 2015-06-29
      Key fingerprint = F734 7EF2 EE2E 07A2 6762  8CA9 4493 1494 F29C 6773
uid                  Dropbear SSH Release Signing <matt at>

It's signed by the old key and my new personal key

pub   4096R/C20BBAAC 2015-06-29
      Key fingerprint = 1F1A F0BB EC7C F375 9FFA  1191 F498 3012 C20B BAAC
uid                  Matt Johnston <matt at>
sub   4096R/D5581050 2015-06-29


More information about the Dropbear mailing list