From 3c9165d295966b7f22aa1f77c5444aa55cf73e5b Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@nym.se>
Date: Wed, 13 Aug 2014 12:52:04 +0200
Subject: [PATCH] Sign checksums, not files.

---
 README.md |  5 +++--
 build.sh  | 12 ------------
 2 files changed, 3 insertions(+), 14 deletions(-)

diff --git a/README.md b/README.md
index de46a74d..46e8120e 100644
--- a/README.md
+++ b/README.md
@@ -33,8 +33,9 @@ Signed Releases
 ---------------
 
 As of v0.7.0 and onwards, git tags and release binaries are GPG signed with
-the key BCE524C7 (http://nym.se/gpg.txt). The signature is included in the
-normal release bundle as `syncthing.asc` or `syncthing.exe.asc`.
+the key BCE524C7 (http://nym.se/gpg.txt). For release binaries, MD5 and
+SHA1 checksums are calculated and signed, available in the
+md5sum.txt.asc and sha1sum.txt.asc files.
 
 Documentation
 =============
diff --git a/build.sh b/build.sh
index fb1bb86b..db54a6ed 100755
--- a/build.sh
+++ b/build.sh
@@ -54,22 +54,11 @@ test() {
 	godep go test -cpu=1,2,4 $* ./...
 }
 
-sign() {
-	if git describe --exact-match 2>/dev/null >/dev/null ; then
-		# HEAD is a tag
-		id=BCE524C7
-		if gpg --list-keys "$id" >/dev/null 2>&1 ; then
-			gpg -ab -u "$id" "$1"
-		fi
-	fi
-}
-
 tarDist() {
 	name="$1"
 	rm -rf "$name"
 	mkdir -p "$name"
 	cp syncthing "${distFiles[@]}" "$name"
-	sign "$name/syncthing"
 	tar zcvf "$name.tar.gz" "$name"
 	rm -rf "$name"
 }
@@ -82,7 +71,6 @@ zipDist() {
 		GOARCH="" GOOS="" go run cmd/todos/main.go < "$f" > "$name/$f.txt"
 	done
 	cp syncthing.exe "$name"
-	sign "$name/syncthing.exe"
 	zip -r "$name.zip" "$name"
 	rm -rf "$name"
 }