On 7/21/19 4:40 AM, Ralf Mardorf via arch-general wrote: > On Sun, 21 Jul 2019 02:42:39 -0400, Eli Schwartz via arch-general wrote: >> The latter problem is why I'm incredibly frustrated by projects that >> use PGP, too -- when the only thing they sign is a file containing >> checksums, and not the actual source file. > > But it doesn't matter, since when the checksum is signed, it's more or > less the same as signing the source file/s, that's why almost all simply > sign a file containing one or more checksums. Why should this be > frustrating? If we are able to ensure that a checksum isn't faked, > IOW if can trust the checksum, than we are safe that a source file > passing a check against the proven checksum is correct, too. > i can't speak for why it bothers Eli, but it bothers me because that's exactly what GPG detached sigs are already: signed hash checksums. The signify method is a signed hash checksum of a (list of) hash checksum(s). To me it feels like an unnecessary abstraction when one could just provide .sig files for each file and be more widely compatible. -- brent saner https://square-r00t.net/ GPG info: https://square-r00t.net/gpg-info
Attachment:
signature.asc
Description: OpenPGP digital signature
