Subject: jar format reference (Re: adding gpg to src/gnu/dist)
To: Daniel Carosone <>
From: Daniel Carosone <>
List: tech-security
Date: 05/19/2004 11:11:26
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Tue, May 18, 2004 at 12:00:41PM +1000, Daniel Carosone wrote:
> [.jar format]
> We could adopt that directly, or use the same kind of techniques in a
> tar container - either way, the mechanism used in that format to
> present file signatures is quite elegant and convenient for working
> with unixy scripty type tools. Certainly informative and worth a look.

For reference, a useful plain-english overview of the technique:

The essential point is that the signature is data within the archive,
rather than an encapsulation over it.  There's a file that's similar
to our MD5SUMS file in the metadata directory, and a signature file
over that.  Those can be added, and the file re-zipped, and the
contents will still validate.

If we established filename conventions that allowed multiple signature
files to be added to the archive independantly, we'd have something
very useful indeed.  This is what I'd need, as a local administrator,
to "bless" specific 3rd-party packages for automated local

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.4 (NetBSD)