Package trust file format
=========================

Basic HMACs / key fingerprints
------------------------------
It could look like this:

    \slul 0.0.0
    ...
    \depends something
    \depends other
    \dep_sums dep_sums1.txt
    \dep_sums dep_sums2.txt
    \sign_key 226395687151d1c8af19b5327a3336cdd7c478bba5b1c8996d7d70028effd928; keys/filename.asc

contents:

    something; 1.0.1; hmac; sha256; b08abd37753c0a39a3764a4d1bc8b2ce192751de961160140e5c5a66e2d7afb8
    something; 1.0; hmac; sha256; e003f84b3b4dc6832bdb7bb5ff61117959bef90d47da16c83e75f84d137a9d66
    something; 1.0; keyfp; sha256; 226395687151d1c8af19b5327a3336cdd7c478bba5b1c8996d7d70028effd928; keys/filename.asc

The keyfp would be a hmac of the key.

The signatures themselves most likely have to go outside the SLUL files.
For example:

    somelib.slul
    somelib.slul.sig
    somelib-1.0.1.tar.gz
    somelib-1.0.1.tar.gz.sig

The advantage of having the key fingerprint in the main.slul file, is
that it gets distributed, for example for libraries, where the interface
("header file") is the main.slul file of the library.