On 2017-11-30 23:35, Tomas Hajny wrote:
Obviously, there are more secure mechanisms (let's take Debian packages with their signatures as an example), but these require more overhead (especially with different release makers for different
Not every release maker needs to create there own checksums. Only one person needs to do a checksum against all release files in a directory (at the end of the release builds). You then have a CHECKSUM file listing all release files. If you want to be extra paranoid, then yes, use GnuPG and sign that file. Again, you only need one GnuPG key used by all Free Pascal releases. Creating the GnuPG key is a once off task. Generating the summary checksum file and signing it can all be scripted (probably in the same script that uploads all the release files to the server).
Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
