[aur-general] TU Application: Baptiste Jonglez
johannes at kyriasis.com
Sat Dec 3 00:34:21 UTC 2016
On 02/12, Giancarlo Razzolini wrote:
>Em dezembro 2, 2016 11:18 NicoHood escreveu:
>>The signature itself is only a signed hash (sha256). So we do rely on
>>the collision resistance of sha256 (or whatever the GPG itself uses).
>>You are right, that hashes themselves are not enough to verify that the
>>original author provided this source. But it gives you the guarantee
>>that you downloaded the same source, as the maintainer(PKGBUILD writer) did.
>GPG uses DSA. And the signatures done using GPG are done in a way that
>requires a key pair on the part of the person doing the signature. The
>link you sent demonstrate precisely that. They are much more than simple
That's quite outdated, and RSA has been the default for quite a long
PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1796 bytes
Desc: not available
More information about the aur-general