build: sign tarball instead of sha256sum
authorDavid Bremner <david@tethera.net>
Wed, 13 Feb 2019 02:17:03 +0000 (22:17 -0400)
committerDavid Bremner <david@tethera.net>
Tue, 12 Mar 2019 01:28:11 +0000 (22:28 -0300)
Adam Majer pointed out in [1] the way were signing releases was
unusual. Neither Carl nor I could think of a good reason for
explicitely signing the checksum (internally of course that's what GPG
is going anyway).

[1] mid:b3fd556d-c346-7af9-a7a2-13b0f3235071@suse.de

Makefile.global
Makefile.local

index cae4c7d1d80c19d576d6ce71d196abdc80a912cd..6e17494a5949a934f03e2ed5696c24490b8f290c 100644 (file)
@@ -44,7 +44,7 @@ TAR_FILE=$(PACKAGE)-$(VERSION).tar.gz
 ELPA_FILE:=$(PACKAGE)-emacs-$(ELPA_VERSION).tar
 DEB_TAR_FILE=$(PACKAGE)_$(VERSION).orig.tar.gz
 SHA256_FILE=$(TAR_FILE).sha256
-GPG_FILE=$(SHA256_FILE).asc
+GPG_FILE=$(TAR_FILE).asc
 
 PV_FILE=bindings/python/notmuch/version.py
 
index 82145e1b4e8e83122f44bb3313fbe457e261bfe9..01ba49cc9e9d7e6ce946f47fe618bcbb9787026a 100644 (file)
@@ -42,8 +42,8 @@ $(TAR_FILE):
 $(SHA256_FILE): $(TAR_FILE)
        sha256sum $^ > $@
 
-$(GPG_FILE): $(SHA256_FILE)
-       gpg --armor --sign $^
+$(GPG_FILE): $(TAR_FILE)
+       gpg --armor --detach-sign $^
 
 .PHONY: dist
 dist: $(TAR_FILE)