Menu
▾
▴
#551 Please provide cryptographic signature of source tarball
A cryptographic signature of the source tarball (for example nsis-3.04-src.tar.bz2) would allow the verification that no third party has modified the code after its release (projects such as phpmyadmin, unrealircd, and proftpd have suffered from this kind of attack).
Sourceforge provides SHA1 hashes of all files if you go into the "Files" section to download and click on the "(i)".
The SHA1 hash provides some protection but does not enable to check that no third party changes occurred after its release.
So you want the hash to be posted on a different server? I can try to remember to put the hash in the forum release posts.
For the main .exe installer, the SHA2 is available in the WinGet manifests for our last couple of releases and even longer back in Chocolatey.
Last edit: Anders 2025-11-05
The request is specific for packing NSIS for Debian Linux.
The linter of Debian (lintian) suggests to verify the upstream tarball using a cryptographic signature (https://udd.debian.org/lintian-tag/debian-watch-does-not-check-openpgp-signature).
So there would be a file named https://sf.net/nsis/nsis-3.11-src.tar.bz2.asc containing the OpenPGP signature (result of signing released source code tarball) provided next to the released source code tarball https://sf.net/nsis/nsis-3.11-src.tar.bz2.
Illustrated with the 2ping package:
https://www.finnie.org/software/2ping/
https://www.finnie.org/software/2ping/2ping-4.5.1.tar.gz
https://www.finnie.org/software/2ping/2ping-4.5.1.tar.gz.asc
watch file used by uscan for checking of new upstream source releases of 2ping:
https://salsa.debian.org/rfinnie/2ping-pkg-debian/-/blob/main/watch?ref_type=heads
public OpenPGP key of the upstream package (2ping) author:
https://salsa.debian.org/rfinnie/2ping-pkg-debian/-/blob/main/upstream/signing-key.asc?ref_type=heads
Last edit: f0rt 2025-11-05