Produce detatched signature for setup executable using new and old keys

This is slightly fraught: If we don't specify a digest preference, sha1
will be used with both keys, which we don't want.  Even if we do specify
a digest preference, sha1 is still used for DSA, and gpg won't verify
all the signatures, if they don't use the same hash algorithm (See [1]).
So specify dsa2 as well, to allow sha256 to be used in both signatures.

[1] https://dev.gnupg.org/T1462

diff --git a/Makefile.am b/Makefile.am
index 4ceeb98d8329073e5545ebb75d5494685541d136..987909cd612f913645a75d39c2690a0112bee97b 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -306,10 +306,11 @@ release: upx
 
 UPLOAD_HOST=cygwin-admin@cygwin.com
 UPLOAD_PATH=/www/sourceware/htdocs/cygwin/setup
+SIGN_KEYS="--enable-dsa2 --personal-digest-preferences=sha256 -u 676041BA -u 1A698DE9E2E56300"
 
 upload: release
        scp setup-${VER}.$(ARCH).exe setup-${VER}.$(ARCH).dbg ${UPLOAD_HOST}:${UPLOAD_PATH}
-       ssh ${UPLOAD_HOST} gpg --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
+       ssh ${UPLOAD_HOST} gpg ${SIGN_KEYS} --detach-sign ${UPLOAD_PATH}/setup-${VER}.$(ARCH).exe
 
 clean-local:
        rm -f setup*${EXEEXT} setup*.dbg