[pacman-dev] [arch-general] Package signing

Linas linas_fi at ymail.com
Thu May 6 14:06:25 CEST 2010


Denis A. Altoé Falqueto wrote:
> On Wed, May 5, 2010 at 2:49 PM, Denis A. Altoé Falqueto
> <denisfalqueto at gmail.com> wrote:
>   
>> On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi at ymail.com> wrote:
>>     
>>> I would prefer having the signature along the package. Maybe as a tar
>>> extended header.
>>> This way you can't lose the detached signature (it also means that you
>>> need to download twice as much files).
>>>       
>> Hey, that would be cool! We wouldn't need to change the name structure
>> of the package and would not lose the signature.
>>     
> In fact, that is not possible. Because the signature is made over a
> stream of bytes, independent of the real content. So, the signing for
> a .tar.gz is absolutely identical to a signing to a text file or
> whatever else. If you sign the .tar file and after that sign and
> insert the signature inside the .tar, you'll invalidate the signature,
> because the original stream of bytes is not the same anymore. What we
> could do in the future is to have a signed package format, with an
> internal .tar.xz file (the real package) and the signature tarred
> together. But I think this is the least of our worries.
>   

In fact, for tar.gz it is possible since gzip ignores trailing content
after a nul, so
the signature could be appended there without interfering with non-aware
utils.
That possibility was used to create illegal primes on the 09 F9 11...
"controversy".
See http://en.wikipedia.org/wiki/Illegal_prime

I didn't mention it because we are now using xz, and it may not support
that.
Is anyone here familiar with its format?

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the pacman-dev mailing list