On 02/12, Giancarlo Razzolini wrote:
Em dezembro 2, 2016 11:18 NicoHood escreveu:
The signature itself is only a signed hash (sha256). So we do rely on the collision resistance of sha256[1] (or whatever the GPG itself uses). You are right, that hashes themselves are not enough to verify that the original author provided this source. But it gives you the guarantee that you downloaded the same source, as the maintainer(PKGBUILD writer) did.
GPG uses DSA[0]. And the signatures done using GPG are done in a way that requires a key pair on the part of the person doing the signature. The link you sent demonstrate precisely that. They are much more than simple hashes.
That's quite outdated, and RSA has been the default for quite a long time. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://theos.kyriasis.com/~kyrias/