[Module-build-general] Re: Cryptographically signing distros
Status: Beta
Brought to you by:
kwilliams
Menu
▾
▴
[Module-build-general] Re: Cryptographically signing distros
|
From: <and...@an...> - 2002-08-12 07:17:46
|
>>>>> On Mon, 12 Aug 2002 16:29:43 +1000, Ken Williams <ke...@ma...> said: > Hi, > Andreas posted this message recently on p5p, it's relevant to > Module::Build so I'm forwarding to the list. I admit to not knowing > too much about the matter, but I agree that something should be added. > It might be appropriate to include a digest as an item in the > generated META.yaml file. Andreas, would this fulfill the > requirements you can think of? You seem to indicate that each file in > the distro needs to be signed independently - why is that? Do people > really need that kind of fine-grained signing? No, what I meant was (1) each file needs a digest (=checksum) and (2) the table needs to be signed that lists all files and all digests. This is in contrast to the widely established practice to first tar+gzip the distribution and then sign it. Advantages: 50% less files out there on servers, later verification OK, repackaging OK, re-compressing OK. META.yaml might be a good place to put the digests in and then let the people sign that. You just need to be aware that the file that contains the signature cannot have a checksum itself. Thus it acts as a seal to the distribution. -- andreas |
