Generate digest and signature seperately

Kerrick Staley mail at kerrickstaley.com
Mon Jun 13 02:52:01 CEST 2011


>> Given this line from the original post, "developers for the Arch Linux
>> distribution need a way to sign databases (lists of software packages)
>> on the central repository (package server) without having to copy those
>> repositories to their local computer and back" I'm guessing that it'd be
>> at least 4-6Gb per architecture.
>
> I wouldn't draw that conclusion and instead ask for more information.
> "lists of software packages" is not the same as "software packages".

The databases (lists) are not very large, as far as I understand, but
it wasn't my call ("repositories" in the 4th line is a typo; I meant
"databases"). I'm not an Arch Linux developer; I'm just contributing
to their effort to implement package signing.

Individual packages will be signed, but for complete security, the
databases must themselves also be signed; otherwise, an attacker could
use DNS spoofing to deliver a database listing outdated packages with
known vulnerabilities, and it would happily be accepted by end-users'
systems. The vulnerable packages would not be updated, but the users
would most likely not notice, since other packages would be updated.

-Kerrick Staley



More information about the Gnupg-users mailing list