Should Fedora rpms be signed?

William Hooper whooperhsd3 at earthlink.net
Fri Oct 29 13:18:19 UTC 2004


John Burton said:
[snip]
> As far as signing packages vs. signing meta-data... Digital signatures
> are like real signatures, you want to make sure they are actually attached
> to what you are signing.
[snip]

IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages.  The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.

-- 
William Hooper




More information about the fedora-test-list mailing list