www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter" <brett.por...@gmail.com>
Subject Re: Summary
Date Thu, 02 Mar 2006 00:24:58 GMT
I understand, but that requires that you get and importa keys, which
is a much more sophisticated operation. All we are using the sha1 for
is to check that the download didn't get cut off halfway through.

On 3/2/06, Noel J. Bergman <noel@devtech.com> wrote:
> Brett Porter wrote:
>
> > one of [MD5,SHA1] is needed for checking download integrity (its not a
> > security mechanism at all).
>
> If I sign a file:
>
>   gpg --output foo.asc --detach-sig --armor foo; done
>
> then it is signed by me, and the check:
>
>   $ gpg --verify foo.asc
>
> will fail if the file is changed from what I signed.  A PGP signed file can
> be verified against what the release manager claims to have signed.  An MD5
> is only as good as the source for the MD5.
>
>         --- Noel
>
>

Mime
View raw message