In message <[EMAIL PROTECTED]>, Magnus Stenman writes:
>
> At least the first time you download it, perhaps you
> don't have any X.509 software to verify it with?
More specifically, you can't use SSLeay to verify it's own signature, since
you can't trust the code until after the signature has been verified. If I've
modified the code to to bad things, I can just as easily modify it to always
verify a signature on the tarball.
--
C. Harald Koch <[EMAIL PROTECTED]>
"It takes a child to raze a village."
-Michael T. Fry
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
