Am 12.01.2014 10:21, schrieb Jelle van der Waa: > On 01/11/14 at 11:09pm, Taylor Hornby wrote: >> ... > SHA256 hashes won't fix anything, since hashes are only integritiy checks telling you the downloaded file isn't corrupt. > > Signatures however are made to verify that the content isn't modified on > the server, which as you can see is used in the PKGBUILD. [1] Signatures are encrypted hashes: [1] "PGP uses a cryptographically strong hash function on the plaintext the user is signing. This generates a fixed-length data item known as a /message digest. /(Again, any change to the information results in a totally different digest.) Then PGP uses the digest and the private key to create the "signature." PGP transmits the signature and the plaintext together. Upon receipt of the message, the recipient uses PGP to recompute the digest, thus verifying the signature. PGP can encrypt the plaintext or not; signing plaintext is useful if some of the recipients are not interested in or capable of verifying the signature." > > The maintainer also says in his PKGBUILD that the download method used > by truecrypt isn't compatible with makepkg [2] > > > [1] http://www.truecrypt.org/docs/digital-signatures > [2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/truecrypt [1] http://www.pgpi.org/doc/pgpintro/
