On 21 sep. 2014, at 20:29, W. Martin Borgert <deba...@debian.org> wrote: > If a package would change by adding another signature, then this > would invalidate previous signatures.
Package formats like apk and jar avoid this chicken and egg problem by hashing the files inside a package, and storing those hashes in a manifest file. Signatures only sign the manifest file. The manifest itself and the signature files are not part of the manifest, but are part of the package. So a package including it's signature(s) is still a single file. Richard -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/8ce64b3d-6269-47a6-8cf2-5ecaa631b...@vdberg.org
