Is there a way to make gnupg sign the name of the file as well? So verification would fail if file names were renamed?
Drop version 1.7 of your 'foo' program into a directory called 'foo-1.7'. Now: tar cf foo-1.7 foo-1.7.tar && gpg --sign foo-1.7.tar Congratulations. Even if someone changes "foo-1.7.tar.xz" to "foo-1.6.tar.xz", you can trivially look inside the archive and see it's foo-1.7. The contents are signed and you have some way of being able to verify the file version hasn't been tampered with by comparing the version number inside the signed tarfile with the version number on the tarfile.
I know, one could create a sha512sum (or so) file that contains the hash and the name of the file, then gpg sign that file. But I find that method more complex, complicated, cumbersome. Is there any easier and/or gpg built in way?
What you're talking about is called 'signing a manifest' and it's pretty much the only game in town. That technique is in use in a lot of different places and it's a standard tool. Done right, it's simple and easy -- I use a Python script to do this task automagically. _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
