On Tue, Jan 31, 2023 at 10:56:52AM -0500, Eli Schwartz wrote: > And for tarballs that are generated once and uploaded to ftp storage, > not repeatedly generated on the fly, we know the checksum will never > legitimately change, so we *want* to hash the compressed file. > Decompressing kernel.org tarballs in order to run PGP on them is *slow*. FWIW, the most correct way is: * download sha256sums.asc and verify its signature (auto-signed by infra) * download the tarball you want and verify that the checksum matches * uncompress and verify the PGP signature (signed by developer) This script implements this workflow: https://git.kernel.org/pub/scm/linux/kernel/git/mricon/korg-helpers.git/tree/get-verified-tarball -K
