On Sun, 21 Jul 2019 02:42:39 -0400, Eli Schwartz via arch-general wrote: >The latter problem is why I'm incredibly frustrated by projects that >use PGP, too -- when the only thing they sign is a file containing >checksums, and not the actual source file.
But it doesn't matter, since when the checksum is signed, it's more or less the same as signing the source file/s, that's why almost all simply sign a file containing one or more checksums. Why should this be frustrating? If we are able to ensure that a checksum isn't faked, IOW if can trust the checksum, than we are safe that a source file passing a check against the proven checksum is correct, too.
