Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <>
From: Simon J. Gerraty <>
List: tech-security
Date: 07/30/2005 21:48:18
>> We should be using better hashes than MD5, these days. But yes, possibly
>> just signing the +CONTENTS file would do the trick.

>You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
>generate files not tracked by +CONTENTS.

If +CONTENTS is signed (+CONTENTS.sig) and contains sha1 hashes for
+INSTALL etc, then they (+INSTALL etc) are effectively signed as well no?