Re: Bug#540215: Introduce dh_checksums
- To: debian-devel@lists.debian.org
- Cc: debian-dpkg@lists.debian.org
- Subject: Re: Bug#540215: Introduce dh_checksums
- From: Goswin von Brederlow <goswin-v-b@web.de>
- Date: Fri, 16 Apr 2010 17:04:56 +0200
- Message-id: <87k4s7l9pj.fsf@frosties.localdomain>
- In-reply-to: <20100416011001.GB25023@sbs288.lan> (Harald Braumann's message of "Fri, 16 Apr 2010 03:10:01 +0200")
- References: <87eijj7523.fsf@frosties.localdomain> <20100317103100.GA18915@celtic.nixsys.be> <1268956013.11872.58.camel@solid.paris.klabs.be> <871vfhchnc.fsf@windlord.stanford.edu> <20100320004007.GC1000@nn.nn> <87eijfstdj.fsf@windlord.stanford.edu> <20100320122752.GD1000@nn.nn> <20100323101927.GR21254@celtic.nixsys.be> <20100415124407.GA3084@rivendell> <871vegstfg.fsf@frosties.localdomain> <20100416011001.GB25023@sbs288.lan>
Harald Braumann <harry@unheit.net> writes:
> On Thu, Apr 15, 2010 at 04:04:51PM +0200, Goswin von Brederlow wrote:
>
>> The checksum file could be attached as additional member in the
>> .deb. And a signature could be a signed file containing the checksum
>> size and name of all members of a .deb preceeding the signature. That
>> way the signature can verify the deb itself or individual members, like
>> the checksum file, in the .deb. Just a thought.
>
> I'm not sure, how you mean that exactly. But the signature must be
> over the checksum file, nothing more and nothing less. Otherwise
> you won't be able to verify the checksum file.
A signature could look like this:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
90d462d27ac404ecabfc9ca7f306dec0b81d3576 3456 control.tar.gz
ed43cc24b4f5472d25fc9c82a67daed317c8d415 3573458 data.tar.gz
90d462d27ac404ecab247a82a67daed317c8d415 971 checksum_control
ed43cc24b4f5472d25fc9ca7f306dec0b81d3576 1234 checksum_data
9528348234958345473658358238452836482685 3536 signature_01
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLyHvbH8SBz+0NfPoRAofQAJoDlO38O3UqfcSyN6xj92s/LQlAzwCgweC2
BiK6lI0aABtTwvXVIEiqXNg=
=cOUY
-----END PGP SIGNATURE-----
> Also I think it's really a very bad idea in general to mix multiple
> different things into one signature. The one thing is a signature over
> installed files (via the checksum file). The other is a signature over
> a package. The two are completely orthogonal and serve different
> purposes.
It would be a signature over members of the .deb file. The meaning of
each member doesn't matter.
> harry
MfG
Goswin
Reply to: