bug-tar
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] pgp signatures


From: Timo Sirainen
Subject: [Bug-tar] pgp signatures
Date: Wed, 13 Aug 2003 23:50:41 +0300

This ftp.gnu.org breakin again brings to my mind that it should be much easier to check file signatures. There is of course the .asc signatures that people distribute, but how many people actually verify them? Not many since it always takes extra time. At least doubles the effort to get something unpacked.

Most software is distributed with tar, and a lot of people use GNU tar, so why not create some GNU extension for it? You could still have the .asc signatures, but you could also have automatic signature checking assuming your system is correctly configured (which is a job for distributions).

I was thinking a very simple and backwards compatible change. Signing would basically do:

tar cf file.tar stuff
gpg --sign file.tar > signature.pgp
tar rf file.tar signature.pgp

Whenever extracting notices signature.pgp file, it would feed all data before that file (plus the terminating zero blocks) to gpg --verify. If there's any files after signature.pgp, it would issue a warning and would not uncompress those without some --force-insecure option.

signature.pgp filename should probably be changed. Maybe it could be marked in some special way too.

The actual signing and verifying would be done by reading commands to do that from /etc/tar.conf or something, so tar would do very little actually.





reply via email to

[Prev in Thread] Current Thread [Next in Thread]