Denis A. Altoé Falqueto wrote: > On Wed, May 5, 2010 at 2:49 PM, Denis A. Altoé Falqueto > <denisfalqu...@gmail.com> wrote: > >> On Wed, May 5, 2010 at 2:38 PM, Linas <linas...@ymail.com> wrote: >> >>> I would prefer having the signature along the package. Maybe as a tar >>> extended header. >>> This way you can't lose the detached signature (it also means that you >>> need to download twice as much files). >>> >> Hey, that would be cool! We wouldn't need to change the name structure >> of the package and would not lose the signature. >> > In fact, that is not possible. Because the signature is made over a > stream of bytes, independent of the real content. So, the signing for > a .tar.gz is absolutely identical to a signing to a text file or > whatever else. If you sign the .tar file and after that sign and > insert the signature inside the .tar, you'll invalidate the signature, > because the original stream of bytes is not the same anymore. What we > could do in the future is to have a signed package format, with an > internal .tar.xz file (the real package) and the signature tarred > together. But I think this is the least of our worries. >
In fact, for tar.gz it is possible since gzip ignores trailing content after a nul, so the signature could be appended there without interfering with non-aware utils. That possibility was used to create illegal primes on the 09 F9 11... "controversy". See http://en.wikipedia.org/wiki/Illegal_prime I didn't mention it because we are now using xz, and it may not support that. Is anyone here familiar with its format? __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com