On Wed, Jun 17, 2015 at 3:19 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> Hi! > > > about signing, recently I got a question that somebody couldn't verify > > the tarball signature, because he was trying to verify the extracted > > contents instead of the compressed file. > > he was trying to do that, because that is how the kernel.org > > <http://kernel.org> releases are signed: > > > https://www.kernel.org/signature.html#using-gnupg-to-verify-kernel-signatures > > I far as I understood, this one verifies .tar - i.e. uncompressed, but > not extracted. Am I wrong? If that's right, then it doesn't solve the > issue with .zip. > > > -- > Stas Malyshev > smalys...@gmail.com > yep, that doesn't solves the separate signing of zips, buth one signature would be enough for all tar.* files -- Ferenc Kovács @Tyr43l - http://tyrael.hu
