Topic: Meta: Simplify checksum files
As I see it, there is one checksum file for all downloads, and there is one PGP signature file to verify that checksum file.
However when verifying the downloads the process is more complicated as it should be:
Use PGP/GPG to verify the signature on the checksum file itself
Use some tool to create the checksum(s) for the download(s)
If the tool cannot compare the checksums computed with the values in the file, compare manually (actually no fun at all)
I see two ways to improve the situation:
Use a "clearsign" PGP signature for the checksum file: That would simplify handling (only one file needed, signature "included").
Create a detached PGP signature for each download: Verifying the download using PGP/GPG is very simple then, but only one specific checksum is created, and PGP/GPG has to be used to verify the downloads. There's also an advantage after download: It's easy to relate the checksum file to the downloaded file (it just has ".sig" or ".pgp" added); in contrast if you have one large download directory, it's hard to tell to which downloaded files the CHECKSUMS.txt file belongs.