As security experts, you and I know that. But Joe User maybe only checks one digest.
(Aren’t we all Joe User sometimes?) Julian > On Aug 31, 2017, at 11:30 AM, Mike Jumper <mike.jum...@guac-dev.org> wrote: > > On Aug 31, 2017 11:21, "Julian Hyde" <jh...@apache.org> wrote: > > After downloading artifacts, there are 3 things to check: (1) the download > is successful; (2) the artifacts were indeed created by the named author; > and (3) the artifacts have not been tampered with. > > A security expert would know to use the .md5 for (1), the .asc for (2), and > the .sha256 or .sha512 for (3). > > > If there is a danger that the artifacts may be tampered with, there is an > equivalent danger that the checksum files will be tampered with, as well. > Checksums alone cannot be relied upon to verify an artifact hasn't been > altered. > > Only the signature allows verification of authorship and integrity ... > assuming users have secure access to the corresponding public keys, and > that those keys are linked into the web of trust. > > - Mike --------------------------------------------------------------------- To unsubscribe, e-mail: general-unsubscr...@incubator.apache.org For additional commands, e-mail: general-h...@incubator.apache.org
