From 0d830af6b8441b9fc52cf5e2c6f815b2cf178d8f Mon Sep 17 00:00:00 2001 From: Nikolaus Rath Date: Wed, 5 Jul 2023 18:58:05 +0100 Subject: [PATCH] Don't attempt to put signify signature into gz header This is currently buggy, cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1042837 --- README.md | 11 +++++------ make_release_tarball.sh | 2 +- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index cf76978..6855cef 100644 --- a/README.md +++ b/README.md @@ -49,13 +49,12 @@ Supported Platforms Installation ------------ -You can download libfuse from -https://github.com/libfuse/libfuse/releases. To build and install, you -must use [Meson](http://mesonbuild.com/) and -[Ninja](https://ninja-build.org). After downloading the tarball, verify -it using [signify])(https://www.openbsd.org/papers/bsdcan-signify.html): +You can download libfuse from https://github.com/libfuse/libfuse/releases. To build and +install, you must use [Meson](http://mesonbuild.com/) and +[Ninja](https://ninja-build.org). After downloading the tarball and `.sig` file, verify +it using [signify](https://www.openbsd.org/papers/bsdcan-signify.html): - signify -V -z -m fuse-X.Y.Z.tar.gz -p fuse-X.Y.pub + signify -V -m fuse-X.Y.Z.tar.gz -p fuse-X.Y.pub The `fuse-X.Y.pub` file contains the signing key and needs to be obtained from a trustworthy source. Each libfuse release contains the signing key for the release after it diff --git a/make_release_tarball.sh b/make_release_tarball.sh index 32d15fd..a004063 100755 --- a/make_release_tarball.sh +++ b/make_release_tarball.sh @@ -29,7 +29,7 @@ rm -r "${TAG}/make_release_tarball.sh" \ cp -a doc/html "${TAG}/doc/" tar -czf "${TAG}.tar.gz" "${TAG}/" -signify-openbsd -S -z -s signify/$MAJOR_REV.sec -m $TAG.tar.gz +signify-openbsd -S -s signify/$MAJOR_REV.sec -m $TAG.tar.gz echo "Contributors from ${PREV_TAG} to ${TAG}:" -- 2.30.2