|
| From: | Dan Egli |
| Subject: | Re: [Sks-devel] Secure packaging |
| Date: | Fri, 05 Dec 2003 12:34:55 -0700 |
| User-agent: | Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5b) Gecko/20030723 Thunderbird/0.1 |
Peter Palfrader wrote:
On Fri, 05 Dec 2003, Yaron M. Minsky wrote:In light of the savannah break-in, and general caution, it seems like some kind of package-signing might be in order. Peter Palfrader is brought this issue up to me, and it seems like a good idea. Do peoplehave any thoughts on the best way to distribute signed distributions? How do people normally go about it?Distribute a detached signature alongside the tarball. sks-n.n.n.tar.gz sks-n.n.n.tar.gz.asc create said detached sig with 'gpg --armor --detach-sign sks-n.n.n.tar.gz' For bonus points make sure the signing key is connected to the web of trust. Peter ------------------------------------------------------------------------ _______________________________________________ Sks-devel mailing list address@hidden http://mail.nongnu.org/mailman/listinfo/sks-devel
The best method I actually ever saw, albeit a bit paranoid, was to md5 sum the file, then NON-detached sign the md5 file.
here's an example from the Knoppix linux distrubitions -----BEGIN PGP SIGNED MESSAGE----- 8f841bae907f828ed7a36a0213746ab1 *KNOPPIX_V3.3-2003-11-19-EN.iso -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBP7wlXzLvxgG6jwONAQHN8AQAy/GWbm07fI/i47YiyGIIQQT3w3wrIZxt IakDVOTG9GqOBW7L0/2lH8eqw9tbmfbAajoxFubnQjwqUOBFyRtQXpu+oR+gsHfB Vz4U1esXul6LCe2dii6XRbYU7eLmOvlxzSoi8L2rhQuzhfWCl8T2yuJPEEYUO7X/ eHGInP7zgTE= =FExj -----END PGP SIGNATURE----- --- Dan
| [Prev in Thread] | Current Thread | [Next in Thread] |