On 6/07/2020, at 13:24, Alan DeKok <aland@deployingradius.com> wrote:
The GitHub tarballs have a differently named root folder, so the signature checking is failing. Hashes show they're different:
Yes. We create our own tarballs and sign those. When we tag a release, GitHub *also* creates it's own tarballs, which are different.
GitHub doesn't seem to have a way to upload our own tarballs. And TBH, I won't sign random things created by a third party.
When you create a “Release” in GitHub you can upload a “binary”. That can be a tgz of source code. It’s not ideal, as you still get “Source Code” zip and tgz options in the release download page - but it could work around this issue. You can reduce the “Source Code” zip contents to nil by using gitattributes export-ignore to tell GitHub not to export certain files (and make it match files), but that means anyone doing archive generation for whatever reasons will be confused. -- Nathan Ward