Automated signature verification for downloads

Werner Koch wk at
Wed Apr 23 13:23:34 CEST 2008

On Wed, 23 Apr 2008 09:33, anthonybryan at said:

> The metalink specification is at
> I agree, it's not easy enough to find. That will be fixed.

Okay.  (The plain text version is not very good readable).

> The headers are produced by GnuPG when it verifies the signature
> (AFAIK). Is there a problem with this?

No, that is not generated by GnuPG.  The script probably preents the
information in this way.  It should also state whether the signature is
good or broken..

>From the metalink 3.0 specs:

   Also, PGP signatures can be embedded with <signature type="pgp"> and
   can contain an optional file attribute which references another file
   (for example, <file name="linux.sign">) listed in the Metalink as so:

          <signature type="pgp" file="linux.sign">
          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.4.2.2 (GNU/Linux)

it is not clear to me why there is the file attribute as well as the
armored version of the signature.  Is that signature a signature over
the "linux.sign" file or one over the the actual file "linux"?
Referencing a copy does not seem to be a good idea because of error
reporting problems if they don't match. 

If it is just a (armored) copy, I suggest to drop the file attribute.
Keeping the armored signature in the XML is just fine.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list