[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Revival of the signed debs discussion


[ I'm Cc-ing Werner Koch on this ]

Wouter Verhelst:
> On Tue, Dec 02, 2003 at 10:16:32PM +0100, Matthias Urlichs wrote:
> > Hi, Henrique de Moraes Holschuh wrote:
> > 
> > > On Tue, 02 Dec 2003, Wouter Verhelst wrote:
> > >> So unless you have a suggestion that would solve this particular issue,
> > >> I'm afraid this idea won't work in practice.
> > > 
> > > We could verify if the gpg agent (gpa? I forget the name...) cannot do this
> > > over a secure channel. It should be able to, and if not, it can probably be
> > > taught to.
> > 
> > It's not that easy (basically you need to tunnel the actual
> > encryprion/signing function, not just the passphrase-getting).
> > See ssh-agent as an example.
> > 
> > The good thing is that people are already thinking about this.
> > 
> > http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017920.html
> Well, implemented as Werner suggests in that message would require me to
> send the actual .deb over the line. I won't do that,

... and it doesn't make sense, since ...

> As I understand it, an OpenPGP signature is an encrypted hash or
> something similar of the actual data. It would be feasible if the
> signature algorithm would allow for hashing the data on the remote
> machine, and signing that hash locally.
... that would work. It'd probably require a few hooks within GPG
to generate a hash packet / .

> Then again, we could do such things right now. Wouldn't it be more
> interesting to gpg-sign md5sums of control.tar.gz and data.tar.gz?

That makes a lot of sense; you can then compare md5sums independently.
You can't directly compare detached signatures: they're timestamped and
contain random data, AFAIK.

Still, sending the to-be-signed file across the wire doesn't make sense.

> Especially in the case of larger .debs, that would probably reduce the
> actual signature size as well...

?? A hash is a hash, and should be independent of file size.

Matthias Urlichs   |   {M:U} IT Design @ m-u-it.de   |  smurf@smurf.noris.de
Disclaimer: The quote was selected randomly. Really. | http://smurf.noris.de
 - -
REAL PROGRAMMERS don't write in Pascal, Mesa, Ada or any of those other pinko
  computer science languages. Strong typing is for people with weak memories.

Reply to: