Stefan Fritsch wrote:
> On Sunday 21 September 2014 21:13:50, Richard van den Berg wrote:
>> Package formats like apk and jar avoid this chicken and egg problem
>> by hashing the files inside a package, and storing those hashes in
>> a manifest file. Signatures only sign the manifest file. The
>> manifest itself and the signature files are not part of the
>> manifest, but are part of the package. So a package including it's
>> signature(s) is still a single file.
> This is bad design and will inevitably lead to security issues (as has
> been demonstrated by Android and apk). One must check the signature
> first, and only if the signature matches, start parsing complex file
> formats. And yes, zip is complex enough to be a problem.
It is true that an embedded signature requires more complicated code, but it
also simplifies the parts that the user has to understand. Perfect code with
a bad user experience will also inevitably lead to security issues.
I'm guessing that ar format is simpler than zip, so that'd be helpful.
PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
Reproducible-builds mailing list