[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gNewSense-users] gNewSense Repository PGP Key

From: Karl Goetz
Subject: Re: [gNewSense-users] gNewSense Repository PGP Key
Date: Mon, 14 Dec 2009 10:25:13 +1030

On Mon, 14 Dec 2009 00:35:55 +0200 (EET)
Lars Nooden <address@hidden> wrote:

> On Sun, 13 Dec 2009, Jason Self wrote:
> > You do use the public key to verify that the authenticity of the 
> > software being downloaded, but someone else's public key cannot be
> > used to verify the signature done with a different secret key...
> > you need to use the public key that corresponds to the secret key
> > used to do the actual signing.
> IIRC PGP is used to sign the release files (*) and the MD5 checksums
> of the individual packages are kept there and used by APT.  The goals
> are to ensure authenticity and integrity of the packages.  Currently
> generating MD5 collisions (**) may or may not be feasible, but it
> probably could be done in a reasonable amount of time with
> distributed processing.
> One of the other digest algorithms might be safer nowadays, such as 
> SHA256, for a while, if it doesn't slow things down too much.

Multiple hashes are available:

MD5sum: 42e4dfe7785315cef04679e69b124b2d
SHA1: 5816634c05f28993afcab1fa007a99b3dd5117cb
SHA256: 8802935257c8f1d02895fc8c52744086ee3be591a99772f3b22d3cf4179b1e93

> > ... if the public key were put on the wiki ...
> The wiki migt be too ephemeral.  Somewhere harder to change might be
> good. There are some keys listed on this page:
> Or the FAQ might be a place for the metad key:

Its not a faq - its never been asked before ;)

> /Lars
> *
> **
> =

Karl Goetz, (Kamping_Kaiser / VK5FOSS)
Debian contributor / gNewSense Maintainer
No, I won't join your social networking group

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]