gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] signatures and checking

From: Robert Collins
Subject: Re: [Gnu-arch-users] signatures and checking
Date: Tue, 27 Jan 2004 17:02:41 +1100 
On Tue, 2004-01-27 at 11:58, Tom Lord wrote:
> Several people have all agreed that the correct thing to do with
> signed checksum files is to ask gpg to print the signed content to
> stdout and to use that output rather than the contents of the file
> when parsing checksum data.
> 
> They point out that, for example, gpg might perform some kind of
> quoting on the checksum data and that quoting can only be reliably
> reversed by asking GPG to make the reversal.
> 
> I believe that that view is incorrect, though I'd like some feedback
> about my opinion in case I've missed something obvious.
> 
> I would like checksum files to have the following properties:
> 
> 1. Checksum data can be reliably extracted from them by tla 
>    _even_if_ the user has no ~/.arch-params/.../*.check file
>    for the relevent archive.
> 
> 
> 2. They are "all in one" -- tla can read them, along with the 
>    signature, in a single file-fetch from the archive.
>    In other words, detached signatures are not an option.

There's a patch to do most of this, and to use gpg to extraxt the data.
I've yet to review it. The key thing to remember is that the clearsigned
data /may/ be escaped by gpg. So if it's a signed archive, we should
always use gpg to extract the data, and with no check command, we could
default to 'gpg' ourselves. (Isn't a signed archive with no check a
failure anyway ?)

Rob
-- 
GPG key available at: <http://www.robertcollins.net/keys.txt>.

Attachment: signature.asc
Description: This is a digitally signed message part

reply via email to
[Prev in Thread] Current Thread [Next in Thread]