[arch-general] Packages Verified with MD5
havoc at defuse.ca
Sun Jan 12 11:30:04 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> SHA256 hashes won't fix anything, since hashes are only integritiy
> checks telling you the downloaded file isn't corrupt.
Right. I assumed it was the PKGBUILD that was signed and verified,
then it was trusted to download and verify the files it needs. If
that's not the case, I'll have to do some more reading.
> Signatures however are made to verify that the content isn't
> modified on the server, which as you can see is used in the
> PKGBUILD. 
The .sig file on the FTP server is the same one you can download from
the TrueCrypt website. If it's used to verify the packages, the client
needs a secure way to get the TrueCrypt Foundation's public key. Where
is that done?
I don't see a .sig file used in the Firefox PKGBUILD, so I assume it's
relying on the SHA256?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the arch-general