[arch-general] Proper use of signify in PKGBUILDs
bts at square-r00t.net
Sun Jul 21 13:19:16 UTC 2019
On 7/21/19 4:40 AM, Ralf Mardorf via arch-general wrote:
> On Sun, 21 Jul 2019 02:42:39 -0400, Eli Schwartz via arch-general wrote:
>> The latter problem is why I'm incredibly frustrated by projects that
>> use PGP, too -- when the only thing they sign is a file containing
>> checksums, and not the actual source file.
> But it doesn't matter, since when the checksum is signed, it's more or
> less the same as signing the source file/s, that's why almost all simply
> sign a file containing one or more checksums. Why should this be
> frustrating? If we are able to ensure that a checksum isn't faked,
> IOW if can trust the checksum, than we are safe that a source file
> passing a check against the proven checksum is correct, too.
i can't speak for why it bothers Eli, but it bothers me because that's
exactly what GPG detached sigs are already: signed hash checksums. The
signify method is a signed hash checksum of a (list of) hash
checksum(s). To me it feels like an unnecessary abstraction when one
could just provide .sig files for each file and be more widely compatible.
GPG info: https://square-r00t.net/gpg-info
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 899 bytes
Desc: OpenPGP digital signature
More information about the arch-general