[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

Todd Zullinger tmz at pobox.com
Mon Mar 9 23:42:48 CET 2015

Jason A. Donenfeld wrote:
> On Mar 8, 2015 12:35 AM, "Todd Zullinger" <tmz at pobox.com> wrote:
>> But while we're on the subject, are there PGP signatures available 
>> for the cgit tarballs themselves?
> I include a sha256 of the tarball in the announcement emails. Those 
> emails are pgp signed. My pgp key is embedded in the repo, as well, 
> and it's verifiable that all announce emails have been signed with 
> the same key.

(It's a SHA1, isn't it?  Not that I care terribly about that part, 
other than a general preference for SHA256. :)

More importantly is that verifying the PGP signature from an archive 
is not always easy.  More often than not, list archives introduce 
subtle whitespace damage or worse.

The other point that John made is more interesting.  If cgit generates 
a tarball on demand, aren't there opportunities for the hash in the 
announcement mail (or a detactch signature) to become invalid?  I 
belive that git archive has made changes in the past to avoid 
including the timestamp in the gzip archive, which helps.  I don't 
know if there are other ways this could change.

In the end, I don't know if it's a problem that can be solved in a way 
that doesn't cause more work for you as a maintainer or the other fine 
folks who are contributing.  That's certainly not my intention.  ;)

> On Mar 9, 2015 9:49 PM, "John Keeping" <john at keeping.me.uk> wrote:
>> It turns out that GMane mangles the list address in the message,
> Better archives:
> http://lists.zx2c4.com/pipermail/cgit/

I tried that earlier, before posting and found that it munges things 
too.  Mailman's munging is often due to whitespace changes and are 
hard to avoid.  Maybe the change to hyperkitty in Mailman 3 will 
improve this aspect of the archives.  ;)

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
Damn you and your estrogenical treachery!
    -- Stewie Griffin

More information about the CGit mailing list