On Fri, 2004-10-29 at 15:36 +0200, Nils Philippsen wrote: > On Fri, 2004-10-29 at 09:18 -0400, William Hooper wrote: > > John Burton said: > > [snip] > > > As far as signing packages vs. signing meta-data... Digital signatures > > > are like real signatures, you want to make sure they are actually attached > > > to what you are signing. > > [snip] > > > > IIRC the discussion was that signed meta-data would have the signatures > > attached to the MD5sums of the packages. The MD5sums of the download > > could then be checked against the meta-data, verifying that the package is > > the same as the package used to create the meta-data. > > This still forces me to use special tools like up2date and yum to access > the packages if I want to verify their origins. See my mail (earlier today) regarding the fact that our package signatures represent an implied certificate. What we want is another certificate, preferably of a type that is not implied. This could be stored (assuming it has the cryptographic hashes of the package in it) in either the metadata or in the package itself. What's important is that it can be differentiated from the normal package signature in a programmatic way which does not require knowledge of specific signing keys. -- Peter "Obviously, a major malfunction has occurred." -- Steve Nesbitt, voice of Mission Control, January 28, 1986, as the shuttle Challenger exploded within view of the grandstands.