[arch-general] Packages Verified with MD5

Taylor Hornby havoc at defuse.ca
Sun Jan 12 12:00:47 EST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/12/2014 09:30 AM, Taylor Hornby wrote:
> The .sig file on the FTP server is the same one you can download
> from the TrueCrypt website. If it's used to verify the packages,
> the client needs a secure way to get the TrueCrypt Foundation's
> public key. Where is that done?

I figured it out:

"If a signature file in the form of .sig is part of the PKGBUILD
source array, makepkg validates the authenticity of source files. For
example, the signature pkgname-pkgver.tar.gz.sig is used to check the
integrity of the file pkgname-pkgver.tar.gz with the gpg program."

https://wiki.archlinux.org/index.php/makepkg

However, I'm still not sure how and when the client gets the public
key, and the pkcs-2.20.tar.gz file is not covered by the .sig. So I
think it's still relying on the MD5s.

- -- 
Taylor Hornby
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS0so/AAoJEP5tMebkC3Ru1mwP/i1wPOZbEGTc9FuD6RP6zcZt
IOoRdCIZWoV/8tunTguGiGJrpCuEuxyKi6uL7wS6YqmkR6GHUzKVwtZwfv+lyh/w
95r4gDHNMrktrnxUNiCQ6HmmGkE1Hn9XO4fHbF4xc2NbV70IoLlHHqyGIk6FVKac
IJ3xhTyUUNEkEh5FxDkqqBOrLpkcA9fE0lXvAuyR6rxMqrGjMdK0PiaTcZwmASSl
4BfyQ+N8wuZM738lDPkDMlF6pRqtkJkue+thM5OWzKi8uEHn2u6uLqM4Wlg4pTNM
rlYeeMjlLSvCFlD9QUm2EytIjtTSXZIH2titYtcogg5lIBjhlWuapMIoQSdi4hG7
Ubphk9n7D8JF3IZUXTRvmyXv9uElH9K2TBHTTJwqDispXaEZre+6PwyfasDZ9fxf
B/qa+OGoU8xeoqUs0Rp+Rde70Ly49HUWNKSXzuCa0HaQoGYlf/xFEkNk21nhQy4Z
KwKYFPfViuTL3f8uwLsBhbh7yWEGSaHL5qi4GnxsiBNwqf7wogy9YqjEGY4iOfGM
xli9dCvNCjuqmJWKVPhQd8cQ5p/GlYjNr/ICjdB3ksIZO7R1rqrpXETeiUkueoqN
vDNM009uhDwYyqly2GTdi3HxnMKGo3grmGxOlX1/mE9ssNyBT6t5yyrKLr/pK7Cc
9SbDYpQMogk/Y6mq159O
=7RGz
-----END PGP SIGNATURE-----


More information about the arch-general mailing list