OpenCoarrays PGP release signing key updated

[Zaak Beekman]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Hello all,

I did not renew my PGP public key(s) expiration before it/they expired on Saturday 17 February 2018. However, this is not a problem since the owner of the public/private key pair can update the expiry date, and push this information to the public key servers. Today I did this, extending the expiration date of my public keys through 2020. If you wish to verify the signature of OpenCoarrays release assets, please make sure you fetch the latest version of my public key from the key server.

Here is the info about my primary key pair:

zbee...@gmail.com

fingerprint: 1DB1 B5ED E321 22B2 8E56 810D CB21 118C 92A6 4702

long key id: 0xCB21118C92A64702

I have yet to push the updated public key to my personal website, but I will do this soon.

Thanks,

Zaak

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEqUSJ2TjLk2Zo+QkRqTznDYAhvQ8FAlqgaIkACgkQqTznDYAh

vQ9b/xAAgcdwh9aMIzvdLEjZ05sVgeTcS1BIa4MTyBH/fC7wZdDhsfyBfDfFF5zv

yTACuYfIM4jFrjqxFdxazLCBtMJoY0e+rYFGHKndDi8G2nRnqBUZ72xKiXJxZuNA

+vOKhJYiLPpqW13hd2xTT161xxEX2npRx1Q88KY3jgHxtgGCPBNf6vzaoMYnhy2Y

SqionXUFPWbcrDSunqX60zxLDKhC1w1jdjqQNhDAiVnY9X5oyn7hBZFgk8zc7esQ

hZH3l/lcADMwvnw5LNYpAMFWYJfJLWEgIW/BSkBLYkCCEN6h4tJKLHHmRccux5S2

xmGFGfUOyyKYvqE4mcY5691svIWEKvBAW8kvtxDzxnoaIr6Fy2MY8FkqKvpwbz/c

UPrJipu+nDoNW3punc5BhcsLKK//4OOxub/m2lwlS1b8CFmXgokFsJGHd8SxoX27

rdZ9uSHS3nGujcWGfFzqOzqXOdvwfH/J7AV3ev7Bi8al3is9dzOd76sKyrpKSKrp

Vxa0zXdC3BVeVjnHOZfLgGqzaMjlQ93svjOxfR2fygBLplgBYnISgObWUTJtcSu7

PFOLRNtk4+WnaCCmTMd6v88nm58Cr+Oh9ZBGjrQ0kX3iYzSTK8H/7vy1kL8gQvbr

2sjAD4MGvlcxh1AXEN0e7HQecPqy6ybUWV2i2hEXFKILiIH0+kA=

=edLK

-----END PGP SIGNATURE-----

[Vishnu V. Krishnan]

I'm a little curious about the signing procedure of the source files. Why sign the 'SHA256' file, and not the package directly?

I do understand that the same amount of authentication is achieved, but in the case of Arch linux, the build script can only take in the checksum manually, and so, a signature check against that file becomes useless.

Do you think you could supply a detached signature for the main tarball too?

Thanks!

Vishnu

[Zaak Beekman]

Hi Vishnu,

I'd be happy to sign the source tarball as well going forwards. The reason for signing the SHA256 checksum was mostly just emulating what Kitware does and so that in the future if we have multiple release assets, there is only one checksum file and only one detached signature.

Should the detached signature of the source tarball be ascii-armor or binary? Any code signing tips, tricks or suggestions are always welcome!

Thanks,

Zaak

[Vishnu V. Krishnan]

A binary detached signature file should be fine. Most distributions have scripts handling the signature checking, and so ASCII armour isn't that important.