Re: cross gcc-4.1.2-12 packages
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
schmitz@biophys.uni-duesseldorf.de
schmitz@debian.org (Debian stuff)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
On Sat, 30 Jun 2007, Brian Morris wrote:
> On 6/29/07, Bill Allombert <Bill.Allombert@math.u-bordeaux1.fr> wrote:
> > On Mon, Jun 25, 2007 at 10:33:39PM -0700, Brian Morris wrote:
>
> >
> > Next time, please sign the whole tarball. This prevents tampering by
> > third party (which is more of a concern than tampering done by yourself).
> >
> that's why i wanted to sign the deb files with debsigs. (even though
> nobody apparently uses this it looks like *everyone* *should*)
>
> I don't know how to sign a tarball like that. Would you tell more specific,
> exactly what command you are using ?
Without reference to man pages: calculate the md5 hash of the tarball and
place that together with file size and file name into a text file
(look at how the .changes and .dsc files are structured; the .dsc contains
the hash of the .orig.tar.gz for a source package). Then sign the text
file (gpg -sta). Due to the signature on the text file, no one can tamper
with the hash you submit (and, barring elaborate hash collision tricks, no
one can tamper with the tarball proper).
Michael
Reply to: