-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/01/03 5:30 PM -0600, Gregory Nowak wrote: > I used the gpg method you describe below. However, it occurred to me > that there is nothing stopping someone from potentially cracking an > ftp server, and changing the iso image, while leaving the asc file > intact. So, doing gpg --verify <ascfilename> would still tell you the > signature is correct, even though the iso(s) had been messed with. The signature file is verified against the iso. If you didn't have it in the same directory or if it was corrupted the signature wouldn't verify. > Am I missing something here, or is this train of thought actually > correct. If this train of thought is correct, then what's the point of > the .asc file, other then to give an unsuspecting user a false sense > of security? I suppose it is possible that someone could generate a new key with a userid of security at slackware.com, but you would probably hear about something like that from other sources. - -- Unix is a user friendly operating system. It just picks its friends more carefully than others. Thomas Stivers e-mail: stivers_t at tomass.dyndns.org gpg: 45CBBABD -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/zG+Q5JK61UXLur0RApkTAJ9IsDX8l2sHmlBD0qVqXdS1y/9WFgCeLjaY f10hopMOWpo7JmVYdbAICRg= =dGsW -----END PGP SIGNATURE-----
