[aur-general] TU Application: Baptiste Jonglez

Johannes Löthberg johannes at kyriasis.com
Sat Dec 3 00:34:21 UTC 2016

On 02/12, Giancarlo Razzolini wrote:
>Em dezembro 2, 2016 11:18 NicoHood escreveu:
>>The signature itself is only a signed hash (sha256). So we do rely on
>>the collision resistance of sha256[1] (or whatever the GPG itself uses).
>>You are right, that hashes themselves are not enough to verify that the
>>original author provided this source. But it gives you the guarantee
>>that you downloaded the same source, as the maintainer(PKGBUILD writer) did.
>GPG uses DSA[0]. And the signatures done using GPG are done in a way that
>requires a key pair on the part of the person doing the signature. The
>link you sent demonstrate precisely that. They are much more than simple
>[0] https://www.gnupg.org/gph/en/manual.html#AEN216

That's quite outdated, and RSA has been the default for quite a long 

  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1796 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20161203/517e25a5/attachment.asc>

More information about the aur-general mailing list