W. Martin Borgert wrote: > On 2014-09-24 23:05, Hans-Christoph Steiner wrote: >> * the signature files sign the package contents, not the hash of >> whole .deb file (i.e. control.tar.gz and data.tar.gz). > > So preinst and friends would not be signed? Sounds dangerous to me.
All package contents would be signed, except the signature itself. The signature would be a separate file in the ar archive of the .deb that signs control.tar.gz and data.tar.gz. See jar or apk format for an example of how this works. .hc -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
