[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Checking signatures on source tarballs

From: Rastus Vernon
Subject: Re: Checking signatures on source tarballs
Date: Wed, 14 Oct 2015 01:33:08 -0400

When the code comes from a Git repository, it's possible for the source
tarballs not to be signed (or not to exist at all), but for the tags in
the repository to be signed at each release. In these cases, there is
no signature file, but this is still a way for packagers to verify the
authenticity of the source code.

Ludovic Courtès wrote:
> When I download a package, the best I can do is to download its .sig 
> and check it, optionally adding the corresponding public key to my
> keyring if it’s missing.  And that’s it.

A small improvement is to download the signature from another location
(for example a public library, or using a proxy or Tor) and compare the
two to verify that they are the same. This makes a MiTM attack between
the server and the computer the signature is downloaded to nearly
impossible. The server could still be compromised, so this is not as
good as having a trusted keyring, but it's a significant improvement.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]