Subject: Re: signed binary pkgs
To: Alan Barrett <>
From: Curt Sampson <>
List: tech-security
Date: 07/30/2005 15:22:14
On Fri, 29 Jul 2005, Alan Barrett wrote:

> 1 to 2 percent.  This might not sound like a lot to you, but when I am
> trying to fit a full release plus as many useful packages as possible
> onto a single CD-ROM, every little bit helps.

For that, I think I would actually suggest just creating a file listing
every file on the CD-ROM, with a size and a hash or two, and signing
that file. Then you cover everything, not just packages, and minimize
any size issues. A simple shell script could check the hashes, and gpg
or whatever will check the file itself.

> It seems very easy to me.  The signer does something like this:
> 	for package in ${list} ; do
> 	     checksum ${package}
> 	done >${checksumfile}
> 	sign ${checksumfile}
> The hypothetical "checksum" command outputs stuff like
> 	Size (foo-1.2.3.tgz) = 4567 bytes
> 	SHA1 (foo-1.2.3.tgz) = da39a3ee5e6b4b0d3255bfef95601890afd80709
> so the detached signature breaks if somebody modifies the embedded
> signature, but that seems like a reasonable tradeoff to me.

Personally, I've got no problem with this mechanism, but I would say
just make it generic (as I suggest for the CD-ROM thing above). There's
no reason that this has to be limited to packages.

Curt Sampson  <>   +81 90 7737 2974
      Make up enjoying your city life...produced by BIC CAMERA