Denis A. AltoƩ Falqueto wrote:
On Wed, May 5, 2010 at 2:49 PM, Denis A. AltoƩ Falqueto <denisfalqueto@gmail.com> wrote:
On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi@ymail.com> wrote:
I would prefer having the signature along the package. Maybe as a tar extended header. This way you can't lose the detached signature (it also means that you need to download twice as much files).
Hey, that would be cool! We wouldn't need to change the name structure of the package and would not lose the signature.
In fact, that is not possible. Because the signature is made over a stream of bytes, independent of the real content. So, the signing for a .tar.gz is absolutely identical to a signing to a text file or whatever else. If you sign the .tar file and after that sign and insert the signature inside the .tar, you'll invalidate the signature, because the original stream of bytes is not the same anymore. What we could do in the future is to have a signed package format, with an internal .tar.xz file (the real package) and the signature tarred together. But I think this is the least of our worries.
In fact, for tar.gz it is possible since gzip ignores trailing content after a nul, so the signature could be appended there without interfering with non-aware utils. That possibility was used to create illegal primes on the 09 F9 11... "controversy". See http://en.wikipedia.org/wiki/Illegal_prime I didn't mention it because we are now using xz, and it may not support that. Is anyone here familiar with its format? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com