[arch-general] Proper use of signify in PKGBUILDs

Ralf Mardorf silver.bullet at zoho.com
Sun Jul 21 08:40:44 UTC 2019


On Sun, 21 Jul 2019 02:42:39 -0400, Eli Schwartz via arch-general wrote:
>The latter problem is why I'm incredibly frustrated by projects that
>use PGP, too -- when the only thing they sign is a file containing 
>checksums, and not the actual source file.

But it doesn't matter, since when the checksum is signed, it's more or
less the same as signing the source file/s, that's why almost all simply
sign a file containing one or more checksums. Why should this be
frustrating? If we are able to ensure that a checksum isn't faked,
IOW if can trust the checksum, than we are safe that a source file
passing a check against the proven checksum is correct, too.


More information about the arch-general mailing list