Harald Braumann <ha...@unheit.net> writes:
> On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:
>
>> The checksum file could be attached as additional member in the
>> .deb. And a signature could be a signed file containing the checksum
>> size and name of all members of a .deb preceeding the signature. That
>> way the signature can verify the deb itself or individual members, like
>> the checksum file, in the .deb. Just a thought.
>
> I'm not sure, how you mean that exactly. But the signature must be
> over the checksum file, nothing more and nothing less. Otherwise
> you won't be able to verify the checksum file.
A signature could look like this:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
90d462d27ac404ecabfc9ca7f306dec0b81d3576 3456 control.tar.gz
ed43cc24b4f5472d25fc9c82a67daed317c8d415 3573458 data.tar.gz
90d462d27ac404ecab247a82a67daed317c8d415 971 checksum_control
ed43cc24b4f5472d25fc9ca7f306dec0b81d3576 1234 checksum_data
9528348234958345473658358238452836482685 3536 signature_01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLyHvbH8SBz+0NfPoRAofQAJoDlO38O3UqfcSyN6xj92s/LQlAzwCgweC2
BiK6lI0aABtTwvXVIEiqXNg=
=cOUY
-----END PGP SIGNATURE-----
> Also I think it's really a very bad idea in general to mix multiple
> different things into one signature. The one thing is a signature over
> installed files (via the checksum file). The other is a signature over
> a package. The two are completely orthogonal and serve different
> purposes.
It would be a signature over members of the .deb file. The meaning of
each member doesn't matter.
> harry
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87k4s7l9pj....@frosties.localdomain
