Jim Meyering writes: > Feel free to make the script generate a full fingerprint and even > (though it feels a little like giving up) add a checksum or two. I think checksums still serve a purpose. Many announcement e-mails are OpenPGP signed (and sometimes with a different key than the release tarballs, thus creating another way to verify tarballs). Checksums also makes it harder to replace the tarball on the server with a fake (or, after a key compromise, a genuine) signature. I don't think it is a either-or situation, but rather a belt-and-suspender case. Ideally, people downloading a release should verify both the signature (to know it comes from a trusted origin) and checksum (to know it is the intended release, in case multiple signed versions co-exists). The patches below make the maintainer-makefile announcements contain SHA1 and B64(SHA256) checksums by default. The MD5 checksums are dropped; they are completely insecure now. The B64(SHA256) output is inspired by OpenSSH which started this practice with release 6.5 in 2014 and still today prints similar outputs, see: https://www.openssh.com/txt/release-6.5 https://www.openssh.com/txt/release-8.6 Unfortunately, 'sha256sum' can't verify these outputs, but I recall earlier discussions around 'sha256sum --base64' so I will resume work on that. We could opt to simply use the "standard" sha256sum output instead, if people here don't like the base64 output format. /Simon