Re: [PATCH] Document tarball signing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter N. Lundblad wrote:
> +<p>After having extracted and tested the tarball, you should sign it using
> +gpg, to indicate that you've checked this
> +particular package. To do so, use a command like:</p>
> +
> +<pre>
> + gpg --sign --armor --detach-sign subversion-1.3.0-rc4.tar.bz2
> +</pre>

Let's save committers' fingers:

gpg -ba subversion-1.3.0-rc4.tar.bz2

I know I'm more likely to remember a single syllable 'ba', than the long
options - and it's obvious which one I'd rather type.

> +<p>This will result in a file with the same name as the signed file, but with
> +a <tt>.sig</tt> extension

.asc, not .sig

> +<pre>
> + bzip2 --cd subversion-1.3.0-rc4.tar.bz2 \
> + | gzip -9n subversion-1.3.0-rc4.tar.gz
> +</pre>

Command is wrong. Should be:

bzip2 -dc subversion-1.3.0-rc4.tar.bz2 \
| gzip -9nc > subversion-1.3.0-rc4.tar.gz

> +<p>The resulting file should be identical to the file generated by the
> +release manager, and thus can be signed as described above.</p>

Suggest verifying this by verifying the RM's signature, or by md5sum.

Max.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Cygwin)

iD8DBQFDg7TTfFNSmcDyxYARAqviAKCXqsgufkILKYI1JtB7zj5Fdh4OxQCgyzFk
cgl+P8E64FQYqXUoA8FYTC4=
=W/bK
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Nov 23 01:17:41 2005