[arch-general] Packages Verified with MD5
Taylor Hornby
havoc at defuse.ca
Sun Jan 12 15:40:23 EST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/12/2014 10:27 AM, Jelle van der Waa wrote:
> No, you don't rely on hashes for security, hashes are for
> integrity checks. Signatures are for the verification of a file or
> message, since anyone can replace the hash on the server and upload
> a new tarball.
I agree, and I understand how signatures work. But what am I missing?
It looks like in e.g. the Firefox package...
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox
...the only thing preventing a man in the middle from tampering with
the binaries as an Arch user installs Firefox are those SHA256 hashes.
I guess I just don't understand what happens when I type "pacman -S
firefox." Does that run the PKGBUILD on my system, or does it download
and install pre-compiled (and signed) Firefox binaries that were
created by one of the Arch developers using the PKGBUILD?
I have been assuming the former, that when I do pacman -S firefox or
pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not
the case?
Thanks for your time,
- --
Taylor Hornby
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJS0v23AAoJEP5tMebkC3Ruz8UP/0asU+Xfx1QL/y8E++XfQf1d
s2440S4Y8A1YlPB+tKcOdDZ2PfxfaK5T1DboXqEKs+49yOb0+vdsI/w/aHvqMDDa
Qp1ulu+Ci2QOEa6C3d9b7emlYxm4Hv2JbV1gQCtlqr2v2I64F98Db2bfj8wBmoOf
pz8Z7Au1uBOdrIBWUqQPt/VH5A6H5hT1/e9mYZ36LU7Cw9rptyd8RSd2NPU9uEoQ
vdvOtDAh6Wz8WIt8m8oMbplmNq1Uxd/TrwdvPnwJ5z9C6lnF3y+A+qrDn83J1DVm
OgfHWw4KIiJGpfck91daTPBH51FZ3E5AgRifzDXgxwRBp0os/g6Y/2wR02vr+Fmd
LNHRullzR4lA7k+uUtTLdDpbOIUw+uLYF7j7ARHXQZkmOwXwfBGmykB55/oUZJel
sOew4+sQofVzZVziYAi/aCmrYVJr8yeDv4SIRNrLIi7ensYRfsCXe8JfUTehgVGK
LDxzvvFkYuey8bkcTykjYR2DkSKHJ82gwA1v9PUOrDjNWBG8EkDRGJ2Q7y1bCRoh
3fXIynME7QCyshWPolyCEphVZScUPFKEHr02/dyRXtDAYocoZF6zCApZE5GOXfDz
UVF6xKIMJDZg2+em8k0pOpOEEX+/NuWbBBwQIf9RmHEQkVMGrLWUIKBt8qYQfSjZ
TLUcZm69MZ89ojHgy515
=WeYA
-----END PGP SIGNATURE-----
More information about the arch-general
mailing list