Re: [Reproducible-builds] concrete steps for improving apt downloading security and privacy
W. Martin Borgert wrote:
> On 2014-09-24 23:05, Hans-Christoph Steiner wrote:
>> * the signature files sign the package contents, not the hash of
>> whole .deb file (i.e. control.tar.gz and data.tar.gz).
> So preinst and friends would not be signed? Sounds dangerous to me.
All package contents would be signed, except the signature itself. The
signature would be a separate file in the ar archive of the .deb that signs
control.tar.gz and data.tar.gz. See jar or apk format for an example of how