When we release Subversion source code we provide a concatenation of OpenPGP
signatures from multiple developers in a single "$FILE.asc" file corresponding
to each package, where $FILE is for example "subversion-1.9.0.tar.gz".
It says in our instructions at
http://subversion.apache.org/download/#verifying
that "gpg --verify $FILE.asc" can be used to verify the signatures, but that
works only when all the signatures are of the same kind. Often, some are of
different kinds, and then GPG only verifies the first one, saying "WARNING:
multiple signatures detected. Only the first will be checked."
Some options for improving the situation include:
* Combine all our signatures into a single OpenPGP SIGNATURE block, as
described at the end of
<https://lists.gnupg.org/pipermail/gnupg-users/2013-July/047118.html>. Then a
simple "gpg --verify $FILE.asc" will verify all the sigs in that block. (This
solution won't fix the issue for people downloading previous releases unless we
retrospectively update the .asc files for those.)
* Write a script and/or find a commonly available program that will verify the
concatenated sequence of signatures that we currently provide them, and document
this, and document that GPG on its own does not do so.
* Implement support in GPG for verifying the concatenated sequence of
different kinds of signatures, and propose this patch for inclusion in GPG, and
document which GPG version supports this. See the gnupg-devel email thread "Re:
checking multiple signatures of different types (or different digests)" on
2013-01-13 <http://www.gossamer-threads.com/lists/gnupg/devel/60180#60180> where
David Shaw hints that it has not been done yet because of lack of demand.
See also a discussion on our IRC channel:
<http://colabti.org/irclogger/irclogger_log/svn-dev?date=2015-08-12#l39>.