Support for GPG‑signed checksums

[dhanushkandagatla]

Hi team,

Thanks for maintaining packer-plugin-windows-update.

I noticed that release artifacts include SHA256 checksums, but I couldn’t find a corresponding GPG‑signed checksum file (for example, SHA256SUMS.sig).

Do you currently publish signed checksum files for releases? If so, could you point me to the signature file and the public key used for verification?

If signed checksum files are not currently published, would it be possible to add them? Having a .sig file would be very helpful.

Thanks!

@rgl

[rgl]

Thanks for noticing this was missing!

I've added it to https://github.com/rgl/packer-plugin-windows-update/releases/tag/v0.17.2.

Let me known if its working as expected.

[dhanushkandagatla]

Hi @rgl,

Thanks for adding GPG signatures to the releases in v0.17.2!

Would you consider adding your public GPG key as a file in the repository (e.g., public-key.asc)? This would make signature verification easier and more reliable than depending on keyserver availability.

Alternatively, publishing the key to public keyservers would also work.

Thanks!

[rgl]

I've added it to https://keyserver.ubuntu.com (and can be search at https://keyserver.ubuntu.com/pks/lookup?search=ruilopes.com+packer-plugin-windows-update&fingerprint=on&op=index) but since there isn't any kind of verification, I'm not sure how useful is having the key there.