Guenter Knauf wrote: >>>> Can you point out where this is documented? >>> I'll try to dig that up. >> If you can, please. > I think what I meant were the pointers on the download side: > http://httpd.apache.org/download.cgi > see down last sentence - however its not explained how to check > automatically; but I volunteer to add a section for this.
The last sentence just says that md5 signatures are used, and suggests software that might be used to verify md5 signatures, no mention is made at all as to the format of the md5 files. As the roll.sh script is the current authoritative mechanism for how md5 signatures are created, and roll.sh makes no guarantee as to the format of the md5 file, all claims made to date that the signatures are in the wrong format are therefore false. Having said that, if someone wants to modify the roll.sh script to create a more formal way of generating signatures that works *both* with md5sum, and openssl md5, please go ahead and do so. But until someone either makes that change to roll.sh, or posts a patch to make the change to roll.sh, any valid md5 format created by either md5sum or openssl remains valid. Having undocumented practices (within reason) is evil. >> Ok, now what you propose only works on Linux and Windows. *BSD? MacOSX? >> Others? > http://www.freebsdsoftware.org/sysutils/coreutils.html > http://coreutils.darwinports.com/ > > Also its no reason to force *all* users to verify manually only because > some OS might lack of any of the checksum tools. openssl md5 offers a -verify option to verify the signature, and this works on a wider set of platforms than md5sum does. I think openssl md5 is a far more practical format to standardise on than md5sum. Regards, Graham --
smime.p7s
Description: S/MIME Cryptographic Signature