Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

William Hooper wrote: 
John Burton said:
[snip]
  
As far as signing packages vs. signing meta-data... Digital signatures
are like real signatures, you want to make sure they are actually attached
to what you are signing.
    
[snip]

IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages.  The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.
I didn't catch that particular detail earlier, but that would be fine. Like I said, as long as changing the package invalidates the signature then the purpose is serverd

John
begin:vcard
fn:John Burton
n:Burton;John
org:G&A Technical Software, Inc.
adr;dom:Suite 101;;11864 Canon Blvd.;Newport News;VA;23606
email;internet:j.c.burton@xxxxxxxxxxxx
title:Principal Associate
tel;work:757-873-5920
tel;fax:757-873-5924
x-mozilla-html:TRUE
url:http://www.gats-inc.com
version:2.1
end:vcard
[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]