[pacman-dev] [arch-general] Package signing

Linas linas_fi at ymail.com
Thu May 6 14:06:25 CEST 2010

Denis A. Altoé Falqueto wrote:
> On Wed, May 5, 2010 at 2:49 PM, Denis A. Altoé Falqueto
> <denisfalqueto at gmail.com> wrote:
>> On Wed, May 5, 2010 at 2:38 PM, Linas <linas_fi at ymail.com> wrote:
>>> I would prefer having the signature along the package. Maybe as a tar
>>> extended header.
>>> This way you can't lose the detached signature (it also means that you
>>> need to download twice as much files).
>> Hey, that would be cool! We wouldn't need to change the name structure
>> of the package and would not lose the signature.
> In fact, that is not possible. Because the signature is made over a
> stream of bytes, independent of the real content. So, the signing for
> a .tar.gz is absolutely identical to a signing to a text file or
> whatever else. If you sign the .tar file and after that sign and
> insert the signature inside the .tar, you'll invalidate the signature,
> because the original stream of bytes is not the same anymore. What we
> could do in the future is to have a signed package format, with an
> internal .tar.xz file (the real package) and the signature tarred
> together. But I think this is the least of our worries.

In fact, for tar.gz it is possible since gzip ignores trailing content
after a nul, so
the signature could be appended there without interfering with non-aware
That possibility was used to create illegal primes on the 09 F9 11...
See http://en.wikipedia.org/wiki/Illegal_prime

I didn't mention it because we are now using xz, and it may not support
Is anyone here familiar with its format?

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the pacman-dev mailing list