Re: PREVIEW: bsign embeds hash and/or digital signature in ELF files
On Mon, 14 Dec 1998, Oscar Levi wrote:
> Agreed. I believe I made the point before that bsign certs only make
> sense when the sysadmin trusts the signature. I can see it being
> useful to have debian maintainers sign their binaries as part of a
> chain of trust. The SA installs a package and resigns it with his own
> key after checking the existing signature against his copy of the
> debian keyring. Sure, the debian signature is next to worthless, but
> it does establish an audit trail. If someone's key is hacked we can
> find where that key was used to authenticate binaries and rout them.
We already have an auidt trail, it's called the .dsc file. If you get a
package that has hacked programs in it then we can match them against our
.deb and .dsc to see if they came from us, and see who uploaded them.
Individual file authentication is no better.