>> At least the first time you download it, perhaps you
>> don't have any X.509 software to verify it with?
>
>More specifically, you can't use SSLeay to verify it's own signature, since
>you can't trust the code until after the signature has been verified. If I've
>modified the code to to bad things, I can just as easily modify it to always
>verify a signature on the tarball.
>
This applies to PGP too! :-)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
