On Thu, Oct 14, 2021 at 10:36 AM Romain Manni-Bucau <[email protected]> wrote:
> I agree with Bernd, checksums are there to validate the consistency of the > artifact, nothing linked to security. > Ensuring user gets a consistent artifact as desired -and not a malicious forged one- is 1 aspect of security. On central the security side is provided by the asc file which is > sufficient if you trust only allowed releasers keys in practise, pretending > you are a releaser will be quite hard so this is likely the best security > you can setup as of today and no checksum algorithm can make it stronger > (it is 1-1 in terms of security). > That is as far as I understand another aspect of security, which is more about authenticating provenance of the artifact when publishing it to the repo and verifying the author. I can be used as an alternative to checksums as well because the signature contains a form of hash, but -correct me if I'm wrong- if the only goal is to verify consistency, then signatures are overkill and will perform worse than checksum algorithms anyway.
