On Sun, 12 Jan 2014 09:30:04 -0700 Taylor Hornby <havoc@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2014 02:21 AM, Jelle van der Waa wrote: > > SHA256 hashes won't fix anything, since hashes are only integritiy > > checks telling you the downloaded file isn't corrupt. > > Right. I assumed it was the PKGBUILD that was signed and verified, > then it was trusted to download and verify the files it needs. If > that's not the case, I'll have to do some more reading. PKGBUILDS are not signed, binary packages are. > > > > > Signatures however are made to verify that the content isn't > > modified on the server, which as you can see is used in the > > PKGBUILD. [1] > > The .sig file on the FTP server is the same one you can download from > the TrueCrypt website. If it's used to verify the packages, the client > needs a secure way to get the TrueCrypt Foundation's public key. Where > is that done? In general, a packager has to have the public key in his/her keyring on a host which is used to build the package. Of course, it is implicit that you trust that packager's practices... > > I don't see a .sig file used in the Firefox PKGBUILD, so I assume it's > relying on the SHA256? Not every project signs the released tarballs. Heck, some do not even release the hashes. Best, L. > > Thanks, > > - -- > Taylor Hornby > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJS0sMMAAoJEP5tMebkC3RuBeUP/i5LP/moujGECT5VDlQWpWLa > 78nOlLV6BM99ZpJJicwcBAg2RLTzG1KngrpmKOmxQVon0h7OCImRU0SakK0eoFVl > Kdp+cHK429Io1cDIHfmy2Nkzr0y7Wy6c8AOjO1D2JAkW8lXqOW+8FvVx6p8Vkg4b > DT/dEMibe6/Wq3CLIvaV/86avWQ/+4LxpPy4Lh/uvqB4HT3GtiJI3SdzLOyCjl93 > f8TAVPg7ALkVOtuVkEKfdVB4i2U3JTtN2wr4w2m7Xf5/m7tJWTlpITm/V9/4d5N7 > KDyO3OcGpuNV9YE9PzhB5LaU2qnf28Yw4yCs0ntobBXIKocifR3lGxw4HG5lSJv8 > 1fwRQ2OXzLK4+QcNz/h/+H/HSTJNjSS19+Rss72SY7GIf5JY0ZVxftL02bjFbBA3 > 1mmlsFSLCAvD15iILoPN1t/WiKBF/3NVqYZXmMsHoaUG1Zf+eg1MwM9ECMTaf62w > TysJ1Eh9KUt7sgiXQLggxCGaS0Mxw/eMfo9uPHxneuiuAj68FCpVjA/88W1aTztW > zKrNUegPfW6ff5Amr7M4bLp308dJtkDEal0syLqomLCWJ9yo+A8ecEodSKLrdfww > NfuOeVOZbm8lhwN02nPFxpo564Qg8YuUjaW6hLiD8nWX7UmfcT9LDWxvStw7q/S0 > upEkeuHsI2oAdOGpC9dL > =do7B > -----END PGP SIGNATURE----- -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
Attachment:
signature.asc
Description: PGP signature
