On 7/21/19 4:40 AM, Ralf Mardorf via arch-general wrote:
On Sun, 21 Jul 2019 02:42:39 -0400, Eli Schwartz via arch-general wrote:
The latter problem is why I'm incredibly frustrated by projects that use PGP, too -- when the only thing they sign is a file containing checksums, and not the actual source file.
But it doesn't matter, since when the checksum is signed, it's more or less the same as signing the source file/s, that's why almost all simply sign a file containing one or more checksums. Why should this be frustrating? If we are able to ensure that a checksum isn't faked, IOW if can trust the checksum, than we are safe that a source file passing a check against the proven checksum is correct, too.
i can't speak for why it bothers Eli, but it bothers me because that's exactly what GPG detached sigs are already: signed hash checksums. The signify method is a signed hash checksum of a (list of) hash checksum(s). To me it feels like an unnecessary abstraction when one could just provide .sig files for each file and be more widely compatible. -- brent saner https://square-r00t.net/ GPG info: https://square-r00t.net/gpg-info