[fpc-pascal] FPC 3.0.4 released!
kardan
kardan at riseup.net
Fri Dec 1 00:55:09 CET 2017
On Thu, 30 Nov 2017 23:26:31 +0100
"Tomas Hajny" <XHajT03 at hajny.biz> wrote:
> Checksums may indeed be created / calculated rather easily. However,
> that is not enough. The checksums must get to the end user in secured
> way as well, otherwise it makes no sense. What is the appropriate
> mechanism for that from your point of view? Just listing on our WWW
> pages (since these may be accessed via HTTPS to avoid modification on
> the way) and copying the checksum to the WWW pages with links
> (somewhat time-consuming, unfortunately, due to many download pages
> and many files - I guess that we may provide you with a possibility
> to do this for the next release if you like ;-) )? Or having a signed
> (how - which trusted signature source?) checksum file accompanying
> each and every released file (cluttering the release directories
> considerably)? Or?
This is part of one of my install scripts for latest vagrant:
VAGRANT_DEB=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_i686.deb
VAGRANT_SUMS=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_SHA256SUMS
until [ \
"$(sha256sum vagrant_2.0.1_i686.deb)" = \
"$(curl -s $VAGRANT_SUMS|grep $(basename $VAGRANT_DEB))" ]
do wget -c $VAGRANT_DEB; done
sudo dpkg -i $(basename $VAGRANT_DEB)
Wikipedia provides gpg signatures for each release file:
gpg --recv-keys 9D3BB7B0
URL=https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz
wget $URL{,.sig}
gpg --verify $(basename $URL).sig
Riseup.net takes it one step further and sign important statements and
certificates:
https://riseup.net/en/canary
https://riseup.net/en/security/network-security/riseup-ca
In your case it would be probably enough to
sha256sum $FILES > SHA256SUMS.txt
gpg --sign SHA256SUMS.txt
Thanks!
Kardan
More information about the fpc-pascal
mailing list