gnu-arch-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnu-arch-users] Re: (fairly minor) SECURITY ISSUE


From: Miles Bader
Subject: [Gnu-arch-users] Re: (fairly minor) SECURITY ISSUE
Date: 21 Jan 2004 16:30:52 +0900

Tom Lord <address@hidden> writes:
> Currently, the signing mechanism in tla is signing-regimen-agnostic.
> You don't have to use gpg (or any other pgp work-similar).   You could
> cons up something with any crypto tool you like.

How about adding, in addition to `=default.check' (or whatever),
`=default.contents' which should return the contents of the file that
tla should use.  [could this serve in _place_ of =default.check?]

For gpg, I guess this would usually be `gpg --decrypt'.

For instance, on the following file:

   HA HA HA, I'M A CRACKER!
   -----BEGIN PGP SIGNED MESSAGE-----
   Hash: SHA1

   Signature-for: address@hidden/cray--devo--0--patch-55
   md5 log 1fa0a2ca4ea0dbdf0f4c009f5d8df9b2
   md5 cray--devo--0--patch-55.patches.tar.gz 18802c6aaa64415d8c70d8f4112c5b90
   -----BEGIN PGP SIGNATURE-----
   Version: GnuPG v1.2.4 (GNU/Linux)

   iD8DBQFAA6t0JZUtNEYDMO4RAqBbAJ9JTl4yDtDPrGpVUNhwjPQ6UC+Y8QCfUuI8
   izVgjQSvdB2mF8PoKoyQgA0=
   =rLzP
   -----END PGP SIGNATURE-----

gpg --decrypt emits:

   Signature-for: address@hidden/cray--devo--0--patch-55
   md5 log 1fa0a2ca4ea0dbdf0f4c009f5d8df9b2
   md5 cray--devo--0--patch-55.patches.tar.gz 18802c6aaa64415d8c70d8f4112c5b90

[Plus the usual random verbosity to stderr]

-miles
-- 
Saa, shall we dance?  (from a dance-class advertisement)




reply via email to

[Prev in Thread] Current Thread [Next in Thread]