Re: Cryptic messages from installers
On Thu, 19 Apr 2001, Santiago Vila wrote:
> "A gpg signature is a random thing" --Debian gnupg maintainer.
> Great quote! :-)
> You must be joking. A gpg signature represents the person responsible
> for a given upload. You can make a mistake if you forgot to pass -m to
> buildpackage, but you can't gpg-sign with the private key of another
> developer. If there is something "random" here is the Maintainer
> field, not the gpg signature.
Yes, it represents the person. But there can be multiple addresses on a key,
and, afaik, there is no way to tell by the signature alone which key is
responsbile for the data.
So that's why you use the maintainer field.
Think about signed email. You compare the From: field, with the list of
knowning addresses for a key, and compare that to the sig. This is the same