<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2017-09-02 19:54 GMT+02:00 James McCoy <span dir="ltr"><<a href="mailto:jamessan@debian.org" target="_blank">jamessan@debian.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Sat, Sep 02, 2017 at 09:58:43AM +0200, Jérémy Lal wrote:<br>
> The typical example i have under the hand is:<br>
> <a href="https://nodejs.org/dist/v6.3.1/" rel="noreferrer" target="_blank">https://nodejs.org/dist/v6.3.<wbr>1/</a><br>
> <a href="https://nodejs.org/dist/v6.3.1/SHASUMS256.txt" rel="noreferrer" target="_blank">https://nodejs.org/dist/v6.3.<wbr>1/SHASUMS256.txt</a><br>
> <a href="https://nodejs.org/dist/v6.3.1/SHASUMS256.txt.asc" rel="noreferrer" target="_blank">https://nodejs.org/dist/v6.3.<wbr>1/SHASUMS256.txt.asc</a><br>
<br>
The subject confused me a bit.  This appears to be a list of the hashes<br>
of each file, and this list of hashes is signed.  That's quite different<br>
than the current signature handling, which expects a signature of the<br>
archive and verifies the archive against that signature.<br></blockquote><div></div></div><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Indeed ! Hence the feature request !</div><div class="gmail_extra"><br></div><div class="gmail_extra">Jérémy</div></div>