On Tue, May 19, 2015 at 06:47:59AM BST, Doug Hogan wrote: > On Sun, May 17, 2015 at 11:52:19PM +0100, Raf Czlonka wrote: > > There are several things which this script does not check for - some > > of those are on my TODO list: > > I didn't review your script, but I did ctrl+s... > > TODO item #0 should be to use signify with SHA256.sig rather than > checking SHA256 directly. There's an example in the man page. :) > > SHA-256 checks if the files were downloaded properly, but it does not > check if the files are from us. signify with SHA256.sig provides both > integrity and authentication.
Hi Doug, Well, I relied on the fact that the installer does that anyway... but you are right, given the fact that we now have signify, it is the right approach - it is also cleaner than what I had before. Thanks for the tip! Raf
