Signature for a released source code package

[Uwe Scholz <u scholz83 gmx de>]

Hi,

I am the maintainer of Gnome-Commander which is hosted and distributed on the gnome servers.

I have been asked by a user why I don't put a signature for the software package on my projects homepage. Actually, I just put a link to the *.tar.xz file on it, pointing to the these file(s) on the gnome server: https://download.gnome.org/sources/gnome-commander/1.8/

Now after I thought about it I was wondering how a user can be sure that he gets the same source code which I uploaded to the Gnome servers. The thing is, when I do a release with "make distcheck" as described in the gnome wiki(*), a tar.bz2 file is generated locally on my PC. This file is then copied via scp to the gnome server. But when executing "ftpadmin install" on the gnome server I see that the server is doing some magic and converts the tar.bz2 archive into a tar.xz one. Why does this happen?

The user who wrote me his mail was wondering if I could give him a signature file (gnome-commander-1.8.0.tar.xz.asc) so that he could verify the integrity of the version he downloaded. I would have to generate this signature by using my private gnupg key. Signing can therefore only be done by myself and I have to put my public gpg key on the projects homepage of course for checking.

I didn't respond to the users question yet as I first wanted to ask you: How can I provide a signature file for the downloadable package (which is actually created by the gnome server right after my initial upload)? Is this even possible? How do you do this? If not, why?

In the age of software bugs and security flaws I would be happy to provide a software package for which I can prove that it is exactly the version I uploaded to the gnome servers. Currently I am not able to do so.

Can somebody shed some light in here, please?

Thanks in advance
Uwe


(*) https://wiki.gnome.org/MaintainersCorner/Releasing