On 2019-02-12 12:42:27 -0500 (-0500), Wes Turner wrote: [...] > - cryptographically sign the SHA-256 checksums with a key and retrieve the > corresponding key over a different channel [...]
If you're going to use asymmetric cryptography with PKI to sign something, you might as well just directly sign (a hash of) the package file rather than merely signing (a hash of) its checksum. Either way you're relying on the strength of your signing implementation, so also having to rely on the strength of the checksum is just added potential weakness and complexity. -- Jeremy Stanley
signature.asc
Description: PGP signature
-- Distutils-SIG mailing list -- distutils-sig@python.org To unsubscribe send an email to distutils-sig-le...@python.org https://mail.python.org/mailman3/lists/distutils-sig.python.org/ Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/22DUNOXZSRCBQBT3CLTRJHICB5LKKSSI/