Automated signature verification for downloads
wk at gnupg.org
Wed Apr 23 13:23:34 CEST 2008
On Wed, 23 Apr 2008 09:33, anthonybryan at gmail.com said:
> The metalink specification is at
> I agree, it's not easy enough to find. That will be fixed.
Okay. (The plain text version is not very good readable).
> The headers are produced by GnuPG when it verifies the signature
> (AFAIK). Is there a problem with this?
No, that is not generated by GnuPG. The script probably preents the
information in this way. It should also state whether the signature is
good or broken..
>From the metalink 3.0 specs:
Also, PGP signatures can be embedded with <signature type="pgp"> and
can contain an optional file attribute which references another file
(for example, <file name="linux.sign">) listed in the Metalink as so:
<signature type="pgp" file="linux.sign">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v220.127.116.11 (GNU/Linux)
it is not clear to me why there is the file attribute as well as the
armored version of the signature. Is that signature a signature over
the "linux.sign" file or one over the the actual file "linux"?
Referencing a copy does not seem to be a good idea because of error
reporting problems if they don't match.
If it is just a (armored) copy, I suggest to drop the file attribute.
Keeping the armored signature in the XML is just fine.
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users