signing source code with gpg

Werner Koch wk at gnupg.org
Wed Mar 14 18:21:24 CET 2007


On Wed, 14 Mar 2007 18:02, me at psmay.com said:

> two factors it's really just way better to --detach-sign the code.

I 100% agree. The problem with non-detached signatuires is that it is
very hard to know what you exactly signed.  Having two files makes it
obvious what is the signature and what is the signed data.  And there
is no need to change the data in any way.


Shalom-Salam,

   Werner


p.s.
In this regard PGP/MIME message (not using the combined option) are
also better and any other way to sign mails.  That is also why you
should never use the inline PDF signatures - a separate signature file
is far better.  Only XML signatures are worde than inline PDF
signatures.






More information about the Gnupg-users mailing list