On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote:
After downloading artifacts, there are 3 things to check: (1) the download is successful; (2) the artifacts were indeed created by the named author; and (3) the artifacts have not been tampered with. A security expert would know to use the .md5 for (1), the .asc for (2), and the .sha256 or .sha512 for (3). If there is a danger that the artifacts may be tampered with, there is an equivalent danger that the checksum files will be tampered with, as well. Checksums alone cannot be relied upon to verify an artifact hasn't been altered. Only the signature allows verification of authorship and integrity ... assuming users have secure access to the corresponding public keys, and that those keys are linked into the web of trust. - Mike
