Re: Remote signing of large files
On Sat, Dec 06, 2008 at 08:21:12PM +0200, subscriptions wrote:
> > On Thu, Dec 04, 2008 at 12:26:31PM +0000, Magnus Therning wrote:
> > I'd feel a bit more safe if the signing could be done on a separate
> > server. However, the built files are large and I don't want to
> > introduce a bottle neck by transfering all files back and forth over
> > the network.
> The above sentences describe a mutual exclusive proposition.
> That is the problem!
Why? Tehcnically you just need the digest (e.g.: the .dsc file) to sign.
The signature technically only signs its content. If you don't trust the
build system to provide you the correct information, how come you trust
it not modify the package before signing (e.g.: add a 'rm -rf /*' in the
Tzafrir Cohen | email@example.com | VIM is
http://tzafrir.org.il | | a Mutt's
firstname.lastname@example.org | | best
ICQ# 16849754 | | friend