Sven-Hendrik Haase <[email protected]> on Thu, 2013/01/31 13:34: > On 31.01.2013 13:33, Christian Hesse wrote: > > Sven-Hendrik Haase <[email protected]> on Thu, 2013/01/31 13:19: > >> On 31.01.2013 13:02, Christian Hesse wrote: > >>> Pierre Schmitz <[email protected]> on Wed, 2013/01/30 19:12: > >>>> I am going to build a new ISO image on Friday. I did a test build today > >>>> and everything looks fine. It's just updated packages; no changes to > >>>> ais nor archiso. Let me know if there are any known issues or blockers. > >>> This is not about the ISO itself but its download... > >>> > >>> Torrent download files can contain more than just one file. How about > >>> including gpg signature for the ISO file? Possibly this increases the > >>> number of people actually checking the authenticity of downloaded files. > >> Frankly, why? The torrent already guarantees you didn't get bad data. > > Sure. But the gpg signature is not (only) about integrity but > > authenticity. > > > > If you get a bad (not broken) torrent file you could download a bad ISO > > image without noticing anybody is fooling you. > > Oh so you want to gpg the torrent file itself? Well, that could work, I > guess.
No, I do not want to sign the torrent file. I want the ISO image and a gpg signature for that inside the torrent file. Even if anybody fools you, signs his own ISO with his own key and puts these into a torrent file you can easily verify after download: $ pacman-key -v archlinux-2013.01.04-dual.iso.sig ==> Checking archlinux-2013.01.04-dual.iso.sig ... gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107 gpg: Can't check signature: No public key ==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig could not be verified. Output should look like this though, note this only happens if the key is in pacman's keyring and trusted with the required level: $ pacman-key -v archlinux-2013.01.04-dual.iso.sig ==> Checking archlinux-2013.01.04-dual.iso.sig ... gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC gpg: NOTE: trustdb not writable gpg: Good signature from "Pierre Schmitz <[email protected]>" -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
signature.asc
Description: PGP signature
