[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
El lun, 14-06-2010 a las 12:17 +0100, Rob Beard escribiÃ: > [...] > As they mention here, the .tar.gz file wasn't signed with a PGP key (is > it possible to sign .tar.gz files?). The signatures are provided in a different file, a gzipped tarball (AKA tgz or tar.gz) doesn't support PGP/GPG signing. For example, Debian signs with GPG their dsc files that are provided with the tgz source. The dsc file has some information to verify the package integrity (ie. a hash, file size, etc). Because that dsc file is signed with GPG, you can be verify that this information it's OK. Another way to sign packages is to put in each mirror a .sig or.gpg file with the signature of the tar.gz. I verify the sources integrity before installing, because it's easier than review the source code looking for backdoors ;) Cheers, Juanjo -- jjm's home: http://www.usebox.net/jjm/ blackshell: http://blackshell.usebox.net/ ramble on: http://rambleon.usebox.net/ -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html