[aur-general] TU Application: Baptiste Jonglez
Johannes Löthberg
johannes at kyriasis.com
Sat Dec 3 00:34:21 UTC 2016
On 02/12, Giancarlo Razzolini wrote:
>Em dezembro 2, 2016 11:18 NicoHood escreveu:
>>
>>The signature itself is only a signed hash (sha256). So we do rely on
>>the collision resistance of sha256[1] (or whatever the GPG itself uses).
>>You are right, that hashes themselves are not enough to verify that the
>>original author provided this source. But it gives you the guarantee
>>that you downloaded the same source, as the maintainer(PKGBUILD writer) did.
>>
>
>GPG uses DSA[0]. And the signatures done using GPG are done in a way that
>requires a key pair on the part of the person doing the signature. The
>link you sent demonstrate precisely that. They are much more than simple
>hashes.
>
>[0] https://www.gnupg.org/gph/en/manual.html#AEN216
That's quite outdated, and RSA has been the default for quite a long
time.
--
Sincerely,
Johannes Löthberg
PGP Key ID: 0x50FB9B273A9D0BB5
https://theos.kyriasis.com/~kyrias/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1796 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20161203/517e25a5/attachment.asc>
More information about the aur-general
mailing list