On 12/19/14 11:28 AM, Ludwig Hügelschäfer wrote: | On 19.12.14 18:09, Doug Barton wrote: | |> Thank you for the time you've spent on this, but a minor quibble if |> you don't mind. Could you please provide signatures for the dmg |> files, | | Open the .dmg and you'll notice the signature of the Installer | (Install.pkg).
If you look at (what in my mind are) the parallels in Windows (exes/installers) and Unix (tarballs) I don't have to perform any actions on them at all prior to verifying the signatures. I'd like to have the same luxury for the dmg file. In addition to the above, the 1 signature only covers that 1 item, there are other items in the dmg file. Now that said, perhaps it is my relative unfamiliarity with the dmg format that is causing my concern. It seems to me (on experience and some reading, both limited) that there are "things" that happen when I open one, similar to the autoplay feature for optical discs in Windows. That's part of the reason I'd like to be able to verify the dmg before opening it. If that last concern is misplaced, then I am less hesitant, however it would still seem to be a good operational practice to sign the whole blob. Admittedly that is less tidy, as now you have two files to keep track of instead of one, but since I use all 3 OS', it's not particularly burdensome from my perspective. Doug _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
