This is the mail archive of the gcc@gcc.gnu.org mailing list for the GCC project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Fri, 2002-07-19 at 01:50, Paul Koning wrote: > Those aren't signatures, they are only checksums. It isn't clear from > Zach's note which he's looking for -- the question depends on what > danger you want to protect against. > > A simple MD5 checksum protects against data corruption in transit (TCP > checksum does the same, but not as well). It does not protect against > tampering with the file because it's easy to post an md5.sum file > with corresponding changed checksums. > > A signature (e.g., PGP signature) protects against tampering too, but > you need the signer's public key to check it, and it's more hassle to > apply since the signer has to supply his private key to do so. > > paul Yes, it is a bit of a hassle, but I think its worth it. http://www.gnupg.org/ For example, the linux kernel, irssi and openssl all use signed downloads. Each file comes with a corresponding .sig file that is generated using the signers private key. If a distribution server is cracked and the file is altered, the attacker will be unable to generate a valid signature for the altered file (unlike an md5 sum). Recently irssi was backdoored by an attacker - a digital sig would have enabled users to detect the alteration. The irssi developer is now signing all files. Incidentally, this email is also signed :-). -- Zach Bagnall <zach.bagnall@bulletinwireless.com> This email is digitally signed. Key ID: 0x3F9AA9A2.
Attachment:
signature.asc
Description: This is a digitally signed message part
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |