When we release Subversion source code we provide a concatenation of OpenPGP signatures from multiple developers in a single "$FILE.asc" file corresponding to each package, where $FILE is for example "subversion-1.9.0.tar.gz". It says in our instructions at http://subversion.apache.org/download/#verifying that "gpg --verify $FILE.asc" can be used to verify the signatures, but that works only when all the signatures are of the same kind. Often, some are of different kinds, and then GPG only verifies the first one, saying "WARNING: multiple signatures detected. Only the first will be checked." Some options for improving the situation include: * Combine all our signatures into a single OpenPGP SIGNATURE block, as described at the end of <https://lists.gnupg.org/pipermail/gnupg-users/2013-July/047118.html>. Then a simple "gpg --verify $FILE.asc" will verify all the sigs in that block. (This solution won't fix the issue for people downloading previous releases unless we retrospectively update the .asc files for those.) * Write a script and/or find a commonly available program that will verify the concatenated sequence of signatures that we currently provide them, and document this, and document that GPG on its own does not do so. * Implement support in GPG for verifying the concatenated sequence of different kinds of signatures, and propose this patch for inclusion in GPG, and document which GPG version supports this. See the gnupg-devel email thread "Re: checking multiple signatures of different types (or different digests)" on 2013-01-13 <http://www.gossamer-threads.com/lists/gnupg/devel/60180#60180> where David Shaw hints that it has not been done yet because of lack of demand. See also a discussion on our IRC channel: <http://colabti.org/irclogger/irclogger_log/svn-dev?date=2015-08-12#l39>.