[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] gNewSense Repository PGP Key

From: Lars Nooden
Subject: Re: [gNewSense-users] gNewSense Repository PGP Key
Date: Mon, 14 Dec 2009 00:35:55 +0200 (EET)
User-agent: Alpine 2.00 (BSO 1167 2008-08-23)

On Sun, 13 Dec 2009, Jason Self wrote:
You do use the public key to verify that the authenticity of the software being downloaded, but someone else's public key cannot be used to verify the signature done with a different secret key... you need to use the public key that corresponds to the secret key used to do the actual signing.

IIRC PGP is used to sign the release files (*) and the MD5 checksums of the individual packages are kept there and used by APT. The goals are to ensure authenticity and integrity of the packages. Currently generating MD5 collisions (**) may or may not be feasible, but it probably could be done in a reasonable amount of time with distributed processing.

One of the other digest algorithms might be safer nowadays, such as SHA256, for a while, if it doesn't slow things down too much.

... if the public key were put on the wiki ...

The wiki migt be too ephemeral. Somewhere harder to change might be good. There are some keys listed on this page:

Or the FAQ might be a place for the metad key:




reply via email to

[Prev in Thread] Current Thread [Next in Thread]