[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Trying to understand how checksums and signatures work

Gilles Pelletier:
> I found out the MD5SUMs are in the package itself but where are the 
> signatures? I suppose they're in the file that is updated when you do an 
> update. But where is this file?

It's the Release file which is signed (detached signature in
Release.gpg). Release contains md5sums of all Packages files which in
turn contain hashes of all package (.deb) files.

> Why are every file in the package md5summed ? Wouldn't a sum on the whole 
> package be enough?

I guess this has something to do with error detection at the
installation stage and is not used to detect that someone has
unauthorizedly tampered with the package. But I don't really know.

> I had a bad experience while trying to install guarddog on Knoppix 
> (installed)this weekend.

I don't think this has anything to do with cryptographic signatures and
it doesn't sound like a problem you should expect to face on Debian.

I'm being paid to act weirdly.
[Agree]   [Disagree]

Attachment: signature.asc
Description: Digital signature

Reply to: