On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote:

> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.

The problem with providing only a SHA256 hash is that the hash was
provide via an insecure channel. I can't be sure that the hash is really
from him because he didn't even sign his mails. Someone could spoof his
mail or MITM in the webserver with the tarballs, etc etc..

The only secure way to ensure the original content of the tarball is via
signed tarballs signed by the developer.

Checksums and signed tarballs are totally two different things.