[arch-general] Packages Verified with MD5
havoc at defuse.ca
Sun Jan 12 15:40:23 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
> No, you don't rely on hashes for security, hashes are for
> integrity checks. Signatures are for the verification of a file or
> message, since anyone can replace the hash on the server and upload
> a new tarball.
I agree, and I understand how signatures work. But what am I missing?
It looks like in e.g. the Firefox package...
...the only thing preventing a man in the middle from tampering with
the binaries as an Arch user installs Firefox are those SHA256 hashes.
I guess I just don't understand what happens when I type "pacman -S
firefox." Does that run the PKGBUILD on my system, or does it download
and install pre-compiled (and signed) Firefox binaries that were
created by one of the Arch developers using the PKGBUILD?
I have been assuming the former, that when I do pacman -S firefox or
pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not
Thanks for your time,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the arch-general