From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Mon, 9 Mar 2015 23:30:11 +0100
Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
In-Reply-To: <20150307233510.GU3567@zaya.teonanacatl.net>
References: <0146555fda82120aa6ff6a7e9761d00d53ced865.1425739601.git.john@keeping.me.uk>
 <20150307155926.6430.47439@typhoon>
 <20150307170259.GI1369@serenity.lan>
 <20150307174932.8657.41364@typhoon>
 <20150307182002.GJ1369@serenity.lan>
 <20150307233510.GU3567@zaya.teonanacatl.net>
Message-ID: <CAHmME9q+VDnmM7sFf+dS2+mivLGEyw7TNdTx32pb1fm=ukuemA@mail.gmail.com>

On Mar 8, 2015 12:35 AM, "Todd Zullinger" <tmz at pobox.com> wrote:
> But while we're on the subject, are there PGP signatures available for
the cgit tarballs themselves?

I include a sha256 of the tarball in the announcement emails. Those emails
are pgp signed. My pgp key is embedded in the repo, as well, and it's
verifiable that all announce emails have been signed with the same key.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/cgit/attachments/20150309/8add9ccd/attachment.html>