Charles Steinkuehler wrote:
>Yeah, I think it's pretty big, plus I believe most of these packages require >openssl and other huge add-ons to run. The basics of public-key >cryptography, however, are pretty simple, so I think it'd be possible to >make a small (a few K, perhaps) binary that would simply calculate and >verify signatures, as long as there arn't too many various options to deal >with (ie no cert chains, or fancy stuff, just plain-old crypto signing). This is probably a stupid question, but are you thinking of something along the terms of having the package maintainer's public keys on the local box to compare to? For example, a "certs keyring" package, and if the public key isn't found the signature can't be verified? Or are you suggesting that the the package be self-signed - simply verify the package is intact, but not cerified that its what the maintainer put together? _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
