Automated signature verification for downloads
Werner Koch
wk at gnupg.org
Wed Apr 23 13:23:34 CEST 2008
On Wed, 23 Apr 2008 09:33, anthonybryan at gmail.com said:
> The metalink specification is at
> http://www.metalinker.org/implementation.html#spec
> I agree, it's not easy enough to find. That will be fixed.
Okay. (The plain text version is not very good readable).
> The headers are produced by GnuPG when it verifies the signature
> (AFAIK). Is there a problem with this?
No, that is not generated by GnuPG. The script probably preents the
information in this way. It should also state whether the signature is
good or broken..
>From the metalink 3.0 specs:
Also, PGP signatures can be embedded with <signature type="pgp"> and
can contain an optional file attribute which references another file
(for example, <file name="linux.sign">) listed in the Metalink as so:
<verification>
<signature type="pgp" file="linux.sign">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
[...]
it is not clear to me why there is the file attribute as well as the
armored version of the signature. Is that signature a signature over
the "linux.sign" file or one over the the actual file "linux"?
Referencing a copy does not seem to be a good idea because of error
reporting problems if they don't match.
If it is just a (armored) copy, I suggest to drop the file attribute.
Keeping the armored signature in the XML is just fine.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users
mailing list