#7 Document MD5sum generation and GPG signing

open
nobody
2
2012-10-03
2009-08-18
William Kendrick
No

Might be worth automating this, somehow, but at the least we should document this somewhere so we know how to do it when making new releases. Per Holger Levsen:

4 commands are needed:

md5sum tuxtype_1.7.4.dfsg1.orig.tar.gz > tuxtype_1.7.4.dfsg1.orig.tar.gz.md5
sha1sum tuxtype_1.7.4.dfsg1.orig.tar.gz > tuxtype_1.7.4.dfsg1.orig.tar.gz.sha1
gpg --sign -a tuxtype_1.7.4.dfsg1.orig.tar.gz.sha1
gpg --sign -a tuxtype_1.7.4.dfsg1.orig.tar.gz.md5

(Strictly speaking, one could probably omit md5sums as they are deprecated
today, but maybe some people are happy about them...)

The above commands give you files with the checksums, ie.
tuxtype_1.7.4.dfsg1.orig.tar.gz.sha1 and a gpg-signature for that file, ie
tuxtype_1.7.4.dfsg1.orig.tar.gz.sha1.asc

To calculate the checksum:

sha1sum tuxtype_1.7.4.dfsg1.orig.tar.gz

should output the same checksum everyhwere.

to verify the checksum is signed by you/whoever:

gpg tuxtype_1.7.4.dfsg1.orig.tar.gz.sha1.asc

Discussion