[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] Detached signatures for source files
From: |
Sylvain Beucler |
Subject: |
Re: [Savannah-hackers] Detached signatures for source files |
Date: |
Wed, 29 Sep 2004 11:41:54 +0200 |
User-agent: |
Mutt/1.4.2.1i |
Hi,
Since the initial problem was typing the passphrase over and over, I
would like to point that you can avoid doing that by using 'ssh-agent'
and 'ssh-add'. Most distros now automatically launch a ssh-agent along
with an X session, so you should only need to type 'ssh-add', enter
your passphrase, and you will not have to type it again during the
whole X session.
'gpg-agent' works similarly.
--
Sylvain
On Mon, Sep 27, 2004 at 03:04:22PM +0200, Laurence Finston wrote:
> Thanks for the explanation. I don't completely understand the issues
> involved yet.
>
> On Mon, 27 Sep 2004, Brian Gough wrote:
>
> >
> > To protect against this it is necessary to include metadata such as
> > the version number, tag and hash of the prior version in the signature
> > so that there is an audit trail from one version to the next. One way
> > is to use the --set-notation option in GPG to add this information.
>
> I'll look this up.
>
> >
> > If you are signing tar.gz files then it's less of an issue since they
> > would have the version number embedded in the tarfile directory name.
> >
>
> Actually, I'm using a single "version" number for my development versions.
> They are all version 1.2.0.0. When I release an official version it will
> be 1.2.0.1 or 1.2.1. The tarballs are all called `3DLDFsnp.tar.gz' so
> that I can just commit a new version rather than filling up the repository
> with obsolete tarballs. So if I understand you correctly, they
> are also subject to metadata attacks.