On Sun, Jan 12, 2014 at 9:40 PM, Taylor Hornby <havoc@xxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 01/12/2014 10:27 AM, Jelle van der Waa wrote: >> No, you don't rely on hashes for security, hashes are for >> integrity checks. Signatures are for the verification of a file or >> message, since anyone can replace the hash on the server and upload >> a new tarball. > > I agree, and I understand how signatures work. But what am I missing? > It looks like in e.g. the Firefox package... > > https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/firefox > > ...the only thing preventing a man in the middle from tampering with > the binaries as an Arch user installs Firefox are those SHA256 hashes. > > I guess I just don't understand what happens when I type "pacman -S > firefox." Does that run the PKGBUILD on my system, or does it download > and install pre-compiled (and signed) Firefox binaries that were > created by one of the Arch developers using the PKGBUILD? > > I have been assuming the former, that when I do pacman -S firefox or > pacman -S truecrypt, it runs the PKGBUILD on *my* system. Is that not > the case? > > Thanks for your time, > - -- > Taylor Hornby Which part of the man page or the wiki isn't clear about what 'pacman -S foo' does?
