On Mon, Aug 11, 2014 at 11:40:11PM +0200, Richard Weinberger wrote: > Hi! > > How can I cryptographically verify libvirt releases? > There are no signature/hash files in http://libvirt.org/sources/. > > All I see is that your git release tags are PGP signed. > So, anyone who cares has to ignore everything in http://libvirt.org/sources/ > and needs to regenerate the tarball from git. > Or do I miss something? Yeah, re-generate tarball from git doesn't really fly because it contains auto-generated autoconf stuff that will never give you the exact matching content without huge amounts of trouble. I wonder if DV would be willing to generate sigs during release. It is merely a case of running 'gpg --armour --detach libvirt-x.y.z.tar.gz' and then uploading the .asc file to libvirt.org too. Likewise for the python binding tar.gz - pypi would like if we uploaded a .sig file Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list