[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Sun Jan 12 11:30:04 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> SHA256 hashes won't fix anything, since hashes are only integritiy
> checks telling you the downloaded file isn't corrupt.

Right. I assumed it was the PKGBUILD that was signed and verified,
then it was trusted to download and verify the files it needs. If
that's not the case, I'll have to do some more reading.

> 
> Signatures however are made to verify that the content isn't
> modified on the server, which as you can see is used in the
> PKGBUILD. [1]

The .sig file on the FTP server is the same one you can download from
the TrueCrypt website. If it's used to verify the packages, the client
needs a secure way to get the TrueCrypt Foundation's public key. Where
is that done?

I don't see a .sig file used in the Firefox PKGBUILD, so I assume it's
relying on the SHA256?

Thanks,

- -- 
Taylor Hornby
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS0sMMAAoJEP5tMebkC3RuBeUP/i5LP/moujGECT5VDlQWpWLa
78nOlLV6BM99ZpJJicwcBAg2RLTzG1KngrpmKOmxQVon0h7OCImRU0SakK0eoFVl
Kdp+cHK429Io1cDIHfmy2Nkzr0y7Wy6c8AOjO1D2JAkW8lXqOW+8FvVx6p8Vkg4b
DT/dEMibe6/Wq3CLIvaV/86avWQ/+4LxpPy4Lh/uvqB4HT3GtiJI3SdzLOyCjl93
f8TAVPg7ALkVOtuVkEKfdVB4i2U3JTtN2wr4w2m7Xf5/m7tJWTlpITm/V9/4d5N7
KDyO3OcGpuNV9YE9PzhB5LaU2qnf28Yw4yCs0ntobBXIKocifR3lGxw4HG5lSJv8
1fwRQ2OXzLK4+QcNz/h/+H/HSTJNjSS19+Rss72SY7GIf5JY0ZVxftL02bjFbBA3
1mmlsFSLCAvD15iILoPN1t/WiKBF/3NVqYZXmMsHoaUG1Zf+eg1MwM9ECMTaf62w
TysJ1Eh9KUt7sgiXQLggxCGaS0Mxw/eMfo9uPHxneuiuAj68FCpVjA/88W1aTztW
zKrNUegPfW6ff5Amr7M4bLp308dJtkDEal0syLqomLCWJ9yo+A8ecEodSKLrdfww
NfuOeVOZbm8lhwN02nPFxpo564Qg8YuUjaW6hLiD8nWX7UmfcT9LDWxvStw7q/S0
upEkeuHsI2oAdOGpC9dL
=do7B
-----END PGP SIGNATURE-----


More information about the arch-general mailing list