[arch-general] Packages Verified with MD5

Leonid Isaev lisaev at umail.iu.edu
Sun Jan 12 12:04:26 EST 2014 

On Sun, 12 Jan 2014 09:30:04 -0700
Taylor Hornby <havoc at defuse.ca> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 01/12/2014 02:21 AM, Jelle van der Waa wrote:
> > SHA256 hashes won't fix anything, since hashes are only integritiy
> > checks telling you the downloaded file isn't corrupt.
> 
> Right. I assumed it was the PKGBUILD that was signed and verified,
> then it was trusted to download and verify the files it needs. If
> that's not the case, I'll have to do some more reading.

PKGBUILDS are not signed, binary packages are.

> 
> > 
> > Signatures however are made to verify that the content isn't
> > modified on the server, which as you can see is used in the
> > PKGBUILD. [1]
> 
> The .sig file on the FTP server is the same one you can download from
> the TrueCrypt website. If it's used to verify the packages, the client
> needs a secure way to get the TrueCrypt Foundation's public key. Where
> is that done?

In general, a packager has to have the public key in his/her keyring on a
host which is used to build the package. Of course, it is implicit that you
trust that packager's practices...

> 
> I don't see a .sig file used in the Firefox PKGBUILD, so I assume it's
> relying on the SHA256?

Not every project signs the released tarballs. Heck, some do not even release
the hashes.

Best,
L.

> 
> Thanks,
> 
> - -- 
> Taylor Hornby
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> 
> iQIcBAEBAgAGBQJS0sMMAAoJEP5tMebkC3RuBeUP/i5LP/moujGECT5VDlQWpWLa
> 78nOlLV6BM99ZpJJicwcBAg2RLTzG1KngrpmKOmxQVon0h7OCImRU0SakK0eoFVl
> Kdp+cHK429Io1cDIHfmy2Nkzr0y7Wy6c8AOjO1D2JAkW8lXqOW+8FvVx6p8Vkg4b
> DT/dEMibe6/Wq3CLIvaV/86avWQ/+4LxpPy4Lh/uvqB4HT3GtiJI3SdzLOyCjl93
> f8TAVPg7ALkVOtuVkEKfdVB4i2U3JTtN2wr4w2m7Xf5/m7tJWTlpITm/V9/4d5N7
> KDyO3OcGpuNV9YE9PzhB5LaU2qnf28Yw4yCs0ntobBXIKocifR3lGxw4HG5lSJv8
> 1fwRQ2OXzLK4+QcNz/h/+H/HSTJNjSS19+Rss72SY7GIf5JY0ZVxftL02bjFbBA3
> 1mmlsFSLCAvD15iILoPN1t/WiKBF/3NVqYZXmMsHoaUG1Zf+eg1MwM9ECMTaf62w
> TysJ1Eh9KUt7sgiXQLggxCGaS0Mxw/eMfo9uPHxneuiuAj68FCpVjA/88W1aTztW
> zKrNUegPfW6ff5Amr7M4bLp308dJtkDEal0syLqomLCWJ9yo+A8ecEodSKLrdfww
> NfuOeVOZbm8lhwN02nPFxpo564Qg8YuUjaW6hLiD8nWX7UmfcT9LDWxvStw7q/S0
> upEkeuHsI2oAdOGpC9dL
> =do7B
> -----END PGP SIGNATURE-----



-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140112/9e796345/attachment.asc>

More information about the arch-general mailing list