On Sun April 11 2010, Kenneth Goldman wrote: > owner-openssl-us...@openssl.org wrote on 04/11/2010 01:38:14 PM: > > > * Kenneth Goldman wrote on Fri, Apr 09, 2010 at 08:12 -0400: > > > I notice that the tarballs also include a SHA1 digest. What's the > > > point? > > > > To have a check whether the FTP download was successful to avoid > > accidentally using corrupt files, a file integrity check with a > > checksum is quite common. > > Aha. So it's just a double check on ftp? It's not trying to > protect against an attacker targeting the openssl site or > the download process?
The e-mail release notices that I receive (and I suppose everyone else) is cryptographically signed (pgp). That message contains the tarball's size, md5 sum and sha1 sum along with the download name and links. I.E: Those are part of the signed message. That should be enough to give at least a "warm and fuzzy" feeling about the tarball's authenticity. A level of assurance that is probably higher than any assurance that can be made about the results of the build process the sources are then subjected to by the users. Of course, the way to be _certain_ is to _buy_ a copy of the sources from a known and trusted security provider following whatever security protocols that provider has established. Spend enough money and you can probably even get your copy hand delievered by a certified, armed courier on secured media. Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
