-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2014 09:30 AM, Taylor Hornby wrote: > The .sig file on the FTP server is the same one you can download > from the TrueCrypt website. If it's used to verify the packages, > the client needs a secure way to get the TrueCrypt Foundation's > public key. Where is that done? I figured it out: "If a signature file in the form of .sig is part of the PKGBUILD source array, makepkg validates the authenticity of source files. For example, the signature pkgname-pkgver.tar.gz.sig is used to check the integrity of the file pkgname-pkgver.tar.gz with the gpg program." https://wiki.archlinux.org/index.php/makepkg However, I'm still not sure how and when the client gets the public key, and the pkcs-2.20.tar.gz file is not covered by the .sig. So I think it's still relying on the MD5s. - -- Taylor Hornby -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS0so/AAoJEP5tMebkC3Ru1mwP/i1wPOZbEGTc9FuD6RP6zcZt IOoRdCIZWoV/8tunTguGiGJrpCuEuxyKi6uL7wS6YqmkR6GHUzKVwtZwfv+lyh/w 95r4gDHNMrktrnxUNiCQ6HmmGkE1Hn9XO4fHbF4xc2NbV70IoLlHHqyGIk6FVKac IJ3xhTyUUNEkEh5FxDkqqBOrLpkcA9fE0lXvAuyR6rxMqrGjMdK0PiaTcZwmASSl 4BfyQ+N8wuZM738lDPkDMlF6pRqtkJkue+thM5OWzKi8uEHn2u6uLqM4Wlg4pTNM rlYeeMjlLSvCFlD9QUm2EytIjtTSXZIH2titYtcogg5lIBjhlWuapMIoQSdi4hG7 Ubphk9n7D8JF3IZUXTRvmyXv9uElH9K2TBHTTJwqDispXaEZre+6PwyfasDZ9fxf B/qa+OGoU8xeoqUs0Rp+Rde70Ly49HUWNKSXzuCa0HaQoGYlf/xFEkNk21nhQy4Z KwKYFPfViuTL3f8uwLsBhbh7yWEGSaHL5qi4GnxsiBNwqf7wogy9YqjEGY4iOfGM xli9dCvNCjuqmJWKVPhQd8cQ5p/GlYjNr/ICjdB3ksIZO7R1rqrpXETeiUkueoqN vDNM009uhDwYyqly2GTdi3HxnMKGo3grmGxOlX1/mE9ssNyBT6t5yyrKLr/pK7Cc 9SbDYpQMogk/Y6mq159O =7RGz -----END PGP SIGNATURE-----
