On Thu, Mar 18, 2010 at 04:52:07PM -0700, Russ Allbery wrote: > Frank Lin PIAT <fp...@klabs.be> writes: > > > I have no strong preferences between signed APT and SIGNED DEBs... it is > > just that the remaining of the thread showed that signed DEBs are quite > > tough to implement. (and I still wonder how we could preserve the > > current deb format with "tar.gz in ar", while signing the debs) > > You add an additional ar member that contains the signed checksums of all > of the files in data.tar.gz, possibly another additional member that > contains the signed checksums for control.tar.gz, or you document some > convention so that you can combine both into the same signed checksum > document.
Wouldn't it be simpler to just extract *sums from control.tar.gz, create a detached signature for it and put it in the ar archive, instead of extracting data.tar.gz and generating the sums a second time? Or would this replace dh_*sums during package build time? And then create a second signature over all files in the ar archive directly. This one would be checked before extracting the containing tar.gz files, and the other one would be installed along with the *sums file. harry -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100320004007.gc1...@nn.nn
