Hi Frederick, On Fri, Feb 27, 2009 at 2:18 PM, Frederick Hirsch <[email protected]> wrote: > Marcos > > Yes, logically there would be two self contained signatures with references > to every file in the package. > > Again Policy indicates which signatures must be verified. What does the > packaging spec currently say?
It says, "see Widgets Digsig Spec" :) > To date it has been one distributor spec that > must be verified. We should be clearer on this - I think this goes with the > changes we make regarding filename sorting and processing. The P&C just hands the list of signatures to the Dig Sig spec. > However if both are to be verified, and if the algorithms are the same > (which is currently the case given one hash algorithm in widget signatures) > an implementation could be smart and calculate the reference hashes once, > eliminating that overhead if it were a concern. Right, but using the same algorithms is not guaranteed. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.au
