On Thu, 04 Oct 2001 00:57:09 +0200, Hubert Feyrer wrote:
>Indeed. An alternative would be to checksum each single file, as we do
>right now using MD5 hashes. I don't know PGP enough to tell if that's
>possible, or good in general. (Someone might still add a bad binary at the
>end, unsigned. Then again we could require IF signing is on, it'd be on
>for ALL files). Just some random thoughts...

IIRC that was one of the bugs in the original signed jar file design.
You could add a file to such a jar file - and it would magicly be
considered blessed.

One benefit of signed packages is simple integrity checking. 
Doing so over the entire tar file is nice.

It would be very nice if the signature could be carried in the package
itself, but as Charles points out that would be tricky to implement.
A lot like the psuedo header used for ip checksums etc.
I'm not sure there is an easy way to incorporate the signature in a
single file and not have something that an old pkg_add etc could
handle.

Which is why I figured something like:

foo.tgz
foo.sig
foo.tgs	(pick a new extension)

where the last is just a tar file of the first two.  Folk who lack
support for checking sigs can either just download the .tgz or
manually unpack the .tgs (or whatever).  No magic needed.

--sjg