Generate digest and signature seperately

Jerome Baum jerome at
Mon Jun 13 02:54:06 CEST 2011

> The databases (lists) are not very large, as far as I understand, but
> it wasn't my call ("repositories" in the 4th line is a typo; I meant
> "databases"). I'm not an Arch Linux developer; I'm just contributing
> to their effort to implement package signing.

> Individual packages will be signed, but for complete security, the
> databases must themselves also be signed; otherwise, an attacker could
> use DNS spoofing to deliver a database listing outdated packages with
> known vulnerabilities, and it would happily be accepted by end-users'
> systems. The vulnerable packages would not be updated, but the users
> would most likely not notice, since other packages would be updated.

All makes sense. Just don't get why it's so expensive to download a
small package list?

Jerome Baum
tel +49-1578-8434336
email jerome at
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA

More information about the Gnupg-users mailing list