On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby <havoc@defuse.ca> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
No, you don't rely on hashes for security, hashes are for integrity checks. Signatures are for the verification of a file or message, since anyone can replace the hash on the server and upload a new tarball.
I agree, and I understand how signatures work. But what am I missing? It looks like in e.g. the Firefox package...
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=p...
...the only thing preventing a man in the middle from tampering with the binaries as an Arch user installs Firefox are those SHA256 hashes.
I guess I just don't understand what happens when I type "pacman -S firefox." Does that run the PKGBUILD on my system, or does it download and install pre-compiled (and signed) Firefox binaries that were created by one of the Arch developers using the PKGBUILD?
I have been assuming the former, that when I do pacman -S firefox or pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not the case?
Thanks for your time, - -- Taylor Hornby
Which part of the man page or the wiki isn't clear about what 'pacman -S foo' does?