www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter" <brett.por...@gmail.com>
Subject Re: Summary
Date Thu, 02 Mar 2006 00:24:58 GMT
I understand, but that requires that you get and importa keys, which
is a much more sophisticated operation. All we are using the sha1 for
is to check that the download didn't get cut off halfway through.

On 3/2/06, Noel J. Bergman <noel@devtech.com> wrote:
> Brett Porter wrote:
> > one of [MD5,SHA1] is needed for checking download integrity (its not a
> > security mechanism at all).
> If I sign a file:
>   gpg --output foo.asc --detach-sig --armor foo; done
> then it is signed by me, and the check:
>   $ gpg --verify foo.asc
> will fail if the file is changed from what I signed.  A PGP signed file can
> be verified against what the release manager claims to have signed.  An MD5
> is only as good as the source for the MD5.
>         --- Noel

View raw message