Re: [Gnu-arch-users] (volunteers?) crypto signatures for arch

[Thomas Zander]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 08 December 2003 16:59, Tom Lord wrote:
>     > From: Thomas Zander <address@hidden>
>     >
>     > The external file-signing method that you proposed is only used
>     > for whole files. With that I mean the compressed versions.  Its
>     > not really good to sign the content of the tar with a file that
>     > is not _inside_ the tar itself since that means gpg --verify
>     > will not work.
>
> Is there something wrong with `--verify SIGFILE FILES'?  Standard
> Savannah/GNU practice for signing FTP sites is to use detached
> signatures.

Your previous messages led me to believe you did not want to sign the tar 
file itself, since that can be unzipped/rebzipped or something. But the 
uncompressed stream (without tar headers).

If that indeed is the case; then your `--verify SIGFILE FILES' is indeed 
wrong; since you need to uncompress that tar/gz before being able to do 
that.
Well; its not _wrong_ per see, but there is a better solution since the 
external signing is meant to be used for a file that is present in the same 
dir as the signature file.

- -- 
Thomas Zander
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/1KDfCojCW6H2z/QRAoHpAKCYvahHF1KAaWBMQG+zaFc4+PLXSACg587d
2fKqnMSpfOVRZ5T3cZPq44A=
=mC89
-----END PGP SIGNATURE-----