Hi Matthias, On Thu, 2024-06-27 at 13:56 +0200, Matthias Urlichs wrote: > On 27.06.24 09:50, Ansgar π wrote: > > leading to having no idea > > why a checksum as suggested isn't possible (it would work trivially for > > the counterexamples given...). > > IΒ assume that "checksum" refers to something > likehttps://pkg.go.dev/golang.org/x/mod/sumdb/dirhash#Hash1Β which you > referred to in a message on 06-19. > > Question: How can the tag2upload client, which is not going to run dgit > by design, add the hash of dgit's output to the tag it creates? > > Answer: it's impossible to do that. This is the whole point of tag2upload.
You missed a very simple part: it wouldn't sign (a hash of) the output of dgit. So the problem does not exist in the form you imagine. > Please enlighten me if I have missed something here. You are welcome. Bye. Ansgar
