-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
No, you don't rely on hashes for security, hashes are for integrity checks. Signatures are for the verification of a file or message, since anyone can replace the hash on the server and upload a new tarball.
I agree, and I understand how signatures work. But what am I missing? It looks like in e.g. the Firefox package... https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=p... ...the only thing preventing a man in the middle from tampering with the binaries as an Arch user installs Firefox are those SHA256 hashes. I guess I just don't understand what happens when I type "pacman -S firefox." Does that run the PKGBUILD on my system, or does it download and install pre-compiled (and signed) Firefox binaries that were created by one of the Arch developers using the PKGBUILD? I have been assuming the former, that when I do pacman -S firefox or pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not the case? Thanks for your time, - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS0v23AAoJEP5tMebkC3Ruz8UP/0asU+Xfx1QL/y8E++XfQf1d s2440S4Y8A1YlPB+tKcOdDZ2PfxfaK5T1DboXqEKs+49yOb0+vdsI/w/aHvqMDDa Qp1ulu+Ci2QOEa6C3d9b7emlYxm4Hv2JbV1gQCtlqr2v2I64F98Db2bfj8wBmoOf pz8Z7Au1uBOdrIBWUqQPt/VH5A6H5hT1/e9mYZ36LU7Cw9rptyd8RSd2NPU9uEoQ vdvOtDAh6Wz8WIt8m8oMbplmNq1Uxd/TrwdvPnwJ5z9C6lnF3y+A+qrDn83J1DVm OgfHWw4KIiJGpfck91daTPBH51FZ3E5AgRifzDXgxwRBp0os/g6Y/2wR02vr+Fmd LNHRullzR4lA7k+uUtTLdDpbOIUw+uLYF7j7ARHXQZkmOwXwfBGmykB55/oUZJel sOew4+sQofVzZVziYAi/aCmrYVJr8yeDv4SIRNrLIi7ensYRfsCXe8JfUTehgVGK LDxzvvFkYuey8bkcTykjYR2DkSKHJ82gwA1v9PUOrDjNWBG8EkDRGJ2Q7y1bCRoh 3fXIynME7QCyshWPolyCEphVZScUPFKEHr02/dyRXtDAYocoZF6zCApZE5GOXfDz UVF6xKIMJDZg2+em8k0pOpOEEX+/NuWbBBwQIf9RmHEQkVMGrLWUIKBt8qYQfSjZ TLUcZm69MZ89ojHgy515 =WeYA -----END PGP SIGNATURE-----