These scripts are offered for trust and transparency in how I secure my software releases are not modified by an attacker. And also to enable to you easily perform the necessarily check. These scripts are licenced so that you can adapt them to your hosting of your own software. This is how it works: when I make a software release, a create and push a git tag, I know that my local git repositry is clean. This is used as the reference for truth. I also create a tarball for a static release. I then use ./gen-checksums which checks the tarball, along with my non-static releases (created by pushing the git tags), against my local git repositry. Once all releases have been validated, ./gen-checksums outputs the checksums for each tarball, using a number of hash functions. The checksums are not specifically tied to the tarballs, but rather listed as known good checksums. The checksums are published to my website, where all static files are signed, so the checksum listing can be trusted. When creating a package for a distribution, I download the tarball for the used mirror, and validate it against the checksum list using ./validate-checksum which prints the checksum for a selected hash function. ./validate-checksum is primary intended for first party packaging. ./maandree-dl can be used by package maintainers. It will download and validate the latest release (or a specific release of your choosing), but it will also fail if there are important changes that could effect how the packaging should be performed. ./maandree-dl will download the release from an arbitrary mirror (and try others until it finds one that is available). This is good for binary releases, but for releases that are built by the user from source, the release file should first be downloaded from the best mirror (./maandree-dl will validate the tarball if it's already downloaded). Additionally, I sign all git commits and git tags, however these signatures eventually become outdated as the used PGP key expires (or is revoked). The signatures for the checksum listings are always kept up to date with the key.