On 9050 day of my life Jason McCarty wrote: > Maybe, but what alternative do we have today? AIUI, gpg-signing in > general just encrypts a hash (of a hash, in our case), so you need a > good choice for both the hash tla uses and the one gpg uses. So which > hash(es)?
I have an idea: create detached signature of concatenated content of
patch directory:
(cat log; echo "Log delimiter"; cat checksum;
echo "Checksum delimiter"; cat bla--main--0.1--patch-2.tar.gz) \
| gpg --armor --detach-sign > signature
Delimiters must be carefully used. They protect from lines moved from
one file to another. Delimiter must be string that cannot be
contained in any of delimited files.
This signature is as strong as any GPG signature. And old
implementations can use this archive ignoring ./signature.
Sums in ./checksum are useful for integrity checking only. Let it be
MD5 or even CRC.
Design of signing process is changed, ant Arch is not weakest link in
a chain anymore.
--
Ivan Boldyrev
| recursion, n:
| See recursion
pgp5XCklZvrhd.pgp
Description: PGP signature
_______________________________________________ Gnu-arch-users mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnu-arch-users GNU arch home page: http://savannah.gnu.org/projects/gnu-arch/
