desktop icon indicating copy to clipboard operation
desktop copied to clipboard
verified publisher icon nextcloud

Checksum for published packages

Open stacheldrahtje opened this issue 2 months ago • 3 comments

How to use GitHub

  • Please use the 👍 reaction to show that you are interested into the same feature.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Feature request

Which Nextcloud Version are you currently using: (see administration page) 4.0.0

Is your feature request related to a problem? Please describe. A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

When building a package for a distro and upon receiving a contribution it is quite important to know the tarball is authentic. A checksum posted together with the tarball would be most helpful.

Describe the solution you'd like A clear and concise description of what you want to happen. B a checksum file together with each published package to verify authenticity., e.g. sha256sum

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

stacheldrahtje avatar Oct 27 '25 05:10 stacheldrahtje

we do have a GPG Nextcloud key that we use to sign the release packages is this not enough ?

mgallien avatar Nov 19 '25 09:11 mgallien

the key is located there https://nextcloud.com/nextcloud.asc

mgallien avatar Nov 19 '25 09:11 mgallien

So every published tarball is signed with that key. Can this be verified on the downloaders end? like with gpg --verify? I had no luck with that. . If so I've probably missed something. If not a sha256sum is also a possiblity.

stacheldrahtje avatar Nov 19 '25 11:11 stacheldrahtje