tech-security: Re: signed binary pkgs [was: Re: BPG call for use cases]

Subject: Re: signed binary pkgs [was: Re: BPG call for use cases]
To: Todd Vierling <tv@duh.org>
From: Simon J. Gerraty <sjg@crufty.net>
List: tech-security
Date: 07/30/2005 21:48:18

>> We should be using better hashes than MD5, these days. But yes, possibly
>> just signing the +CONTENTS file would do the trick.

>You'd need to sign the +INSTALL and +DEINSTALL scripts too, as they can
>generate files not tracked by +CONTENTS.

If +CONTENTS is signed (+CONTENTS.sig) and contains sha1 hashes for
+INSTALL etc, then they (+INSTALL etc) are effectively signed as well no?

--sjg