signed tarballs
Christian Rebischke
Chris.Rebischke at archlinux.org
Thu Apr 13 20:56:49 UTC 2017
On Thu, Apr 13, 2017 at 01:30:57PM -0700, William Roberts wrote:
> That's not true, he's providing you a detached signature via this
> mechanism. You just need to check the sha256sum before extraction.
The problem with providing only a SHA256 hash is that the hash was
provide via an insecure channel. I can't be sure that the hash is really
from him because he didn't even sign his mails. Someone could spoof his
mail or MITM in the webserver with the tarballs, etc etc..
The only secure way to ensure the original content of the tarball is via
signed tarballs signed by the developer.
Checksums and signed tarballs are totally two different things.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170413/47b03187/attachment.sig>
More information about the Linux-audit
mailing list