Yeah, I was worried the remote repos would produce a different hash.
But you mention an interesting idea. I wonder if I could write a bash or python script that would iterate over every file in a given folder, calculate it's hash, then append the hash into a SHASUM text file. If you had that, you could just run the script and then sign the SHASUM file. Then downloaders could compare file hashes individually.
Glad you're thinking about it and understand its importance. I would just hate it if the repo were hacked and some horrible things were put into it in order to incriminate those who are just trying to be honest investigators.
If I can get around to that script, I'll drop you a link so you can use it. Great work so far ausbitbank.
Found a way to do it for now https://steemit.com/pizzagate/@ausbitbank/pizzagate-git-repo-updated-now-includes-file-hashes-and-pgp-signature
Cool yeah I think it's definitely doable I just want to come up with a system that lets everything be verified as easily as possible.
If the process involves me having to download and sign an external ~300mb archive each time I push a new text file to the repo it'll discourage me from using it . A script that runs before git push'ing would be great.
Ideally, it would make index files that not only contain file size and file hash for everything in the archive - but are also linked up so the whole repository could be dropped onto a webhost (with directory listings disabled) and it would already be a navigatable basic website as well