www-repository mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noel J. Bergman" <n...@devtech.com>
Subject RE: Summary
Date Thu, 02 Mar 2006 00:15:41 GMT
Brett Porter wrote:

> one of [MD5,SHA1] is needed for checking download integrity (its not a
> security mechanism at all).

If I sign a file:

  gpg --output foo.asc --detach-sig --armor foo; done

then it is signed by me, and the check:

  $ gpg --verify foo.asc

will fail if the file is changed from what I signed.  A PGP signed file can
be verified against what the release manager claims to have signed.  An MD5
is only as good as the source for the MD5.

	--- Noel

View raw message