On 7/21/19 9:19 AM, brent s. wrote:
i can't speak for why it bothers Eli, but it bothers me because that's exactly what GPG detached sigs are already: signed hash checksums. The signify method is a signed hash checksum of a (list of) hash checksum(s). To me it feels like an unnecessary abstraction when one could just provide .sig files for each file and be more widely compatible.
The problem is a lot bigger, because "widely compatible" includes "being compatible with makepkg's official validation mechanism" and that unnecessary abstraction means it cannot, in fact, be used in makepkg after all.
-- Eli Schwartz Bug Wrangler and Trusted User
