[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Remote signing of large files

On Sat, Dec 06, 2008 at 08:21:12PM +0200, subscriptions wrote:
> > On Thu, Dec 04, 2008 at 12:26:31PM +0000, Magnus Therning wrote:
> > I'd feel a bit more safe if the signing could be done on a separate
> > server. However, the built files are large and I don't want to
> > introduce a bottle neck by transfering all files back and forth over
> > the network.
> The above sentences describe a mutual exclusive proposition.
> That is the problem!

Why? Tehcnically you just need the digest (e.g.: the .dsc file) to sign.
The signature technically only signs its content. If you don't trust the 
build system to provide you the correct information, how come you trust 
it not modify the package before signing (e.g.: add a 'rm -rf /*' in the 
prerm script).

Tzafrir Cohen         | tzafrir@jabber.org | VIM is
http://tzafrir.org.il |                    | a Mutt's
tzafrir@cohens.org.il |                    |  best
ICQ# 16849754         |                    | friend

Reply to: