[arch-general] Packages Verified with MD5

sehraf sehraf at privatdemail.net
Sun Jan 12 05:00:31 EST 2014

Am 12.01.2014 10:21, schrieb Jelle van der Waa:
> On 01/11/14 at 11:09pm, Taylor Hornby wrote:
>> ...
> SHA256 hashes won't fix anything, since hashes are only integritiy checks telling you the downloaded file isn't corrupt.
> Signatures however are made to verify that the content isn't modified on
> the server, which as you can see is used in the PKGBUILD. [1]

Signatures are encrypted hashes:
[1] "PGP uses a cryptographically strong hash function on the plaintext
the user is signing. This generates a fixed-length data item known as
a /message digest. /(Again, any change to the information results in a
totally different digest.)

Then PGP uses the digest and the private key to create the "signature."
PGP transmits the signature and the plaintext together. Upon receipt of
the message, the recipient uses PGP to recompute the digest, thus
verifying the signature. PGP can encrypt the plaintext or not; signing
plaintext is useful if some of the recipients are not interested in or
capable of verifying the signature."
> The maintainer also says in his PKGBUILD that the download method used
> by truecrypt isn't compatible with makepkg [2]
> [1] http://www.truecrypt.org/docs/digital-signatures
> [2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt
[1] http://www.pgpi.org/doc/pgpintro/

More information about the arch-general mailing list