On Tue, Dec 02, 2003 at 03:58:53AM +0100, Goswin von Brederlow wrote: > John Goerzen <[EMAIL PROTECTED]> writes: > > PS: Does debsigs just sign the control and data file or all files in > the ar? What if we add some more files at some point (like a > _buildinfo)?
It cats the control and data files together and signs the result. Otherwise, an attacker could mix and match control and data files from different .debs (as long as the files aren't modified) and still cause havoc. BTW, there is a design doc in /usr/share/doc/debsigs that describes some of these things. -- John
