Artifacts that must be signed are produced on M which is capable of
calculating hashes (e.g. SHA-256 hashes). H has the ability to read
these hashes but cannot access the artifacts.
How does H know that the hash is valid? H could just sign the hash if it
trusts what M generates, but it isn't obvious to me how that's more
secure than just having M sign it.
-C
_______________________________________________
Gnupg-users mailing list
[email protected]
https://lists.gnupg.org/mailman/listinfo/gnupg-users
