commit: 6f462732060cdec7b5aa3a952155b55a68490c86 Author: Michał Górny <mgorny <AT> gentoo <DOT> org> AuthorDate: Wed Sep 21 18:09:13 2022 +0000 Commit: Ulrich Müller <ulm <AT> gentoo <DOT> org> CommitDate: Sun Nov 13 20:19:41 2022 +0000 URL: https://gitweb.gentoo.org/data/glep.git/commit/?id=6f462732
glep-0078: Clarify that Manifest is signed too Signed-off-by: Michał Górny <mgorny <AT> gentoo.org> Signed-off-by: Ulrich Müller <ulm <AT> gentoo.org> glep-0078.rst | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/glep-0078.rst b/glep-0078.rst index 8b6fabb..d77576a 100644 --- a/glep-0078.rst +++ b/glep-0078.rst @@ -328,7 +328,9 @@ the inner archive contents. This file also provides protection against signature reuse/replacement attacks if the OpenPGP signatures are used. The implementation follows the Manifest specifications in GLEP 74 -[#GLEP74]_ and uses the DATA tag for files within the container. +and uses the ``DATA`` tag for files within the container. +If the package is using OpenPGP signatures, the Manifest file must also +include a cleartext OpenPGP signature as defined in GLEP 74 [#GLEP74]_. The implementation should be able to detect checksum mismatches, as well as missing, duplicate, or extraneous files within
