[arch-general] Packages Verified with MD5
lisaev at umail.iu.edu
Sun Jan 12 12:04:26 EST 2014
On Sun, 12 Jan 2014 09:30:04 -0700
Taylor Hornby <havoc at defuse.ca> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> > SHA256 hashes won't fix anything, since hashes are only integritiy
> > checks telling you the downloaded file isn't corrupt.
> Right. I assumed it was the PKGBUILD that was signed and verified,
> then it was trusted to download and verify the files it needs. If
> that's not the case, I'll have to do some more reading.
PKGBUILDS are not signed, binary packages are.
> > Signatures however are made to verify that the content isn't
> > modified on the server, which as you can see is used in the
> > PKGBUILD. 
> The .sig file on the FTP server is the same one you can download from
> the TrueCrypt website. If it's used to verify the packages, the client
> needs a secure way to get the TrueCrypt Foundation's public key. Where
> is that done?
In general, a packager has to have the public key in his/her keyring on a
host which is used to build the package. Of course, it is implicit that you
trust that packager's practices...
> I don't see a .sig file used in the Firefox PKGBUILD, so I assume it's
> relying on the SHA256?
Not every project signs the released tarballs. Heck, some do not even release
> - --
> Taylor Hornby
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> -----END PGP SIGNATURE-----
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: not available
More information about the arch-general