[prev in list] [next in list] [prev in thread] [next in thread]
List: gnupg-users
Subject: Re: Automated signature verification for downloads
From: Werner Koch <wk () gnupg ! org>
Date: 2008-04-23 11:23:34
Message-ID: 87prsglsqx.fsf () wheatstone ! g10code ! de
[Download RAW message or body]
On Wed, 23 Apr 2008 09:33, anthonybryan@gmail.com said:
> The metalink specification is at
> http://www.metalinker.org/implementation.html#spec
> I agree, it's not easy enough to find. That will be fixed.
Okay. (The plain text version is not very good readable).
> The headers are produced by GnuPG when it verifies the signature
> (AFAIK). Is there a problem with this?
No, that is not generated by GnuPG. The script probably preents the
information in this way. It should also state whether the signature is
good or broken..
>From the metalink 3.0 specs:
Also, PGP signatures can be embedded with <signature type="pgp"> and
can contain an optional file attribute which references another file
(for example, <file name="linux.sign">) listed in the Metalink as so:
<verification>
<signature type="pgp" file="linux.sign">
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
[...]
it is not clear to me why there is the file attribute as well as the
armored version of the signature. Is that signature a signature over
the "linux.sign" file or one over the the actual file "linux"?
Referencing a copy does not seem to be a good idea because of error
reporting problems if they don't match.
If it is just a (armored) copy, I suggest to drop the file attribute.
Keeping the armored signature in the XML is just fine.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic