sadly, AFAIK this document does not exist as yet. (i have been intending
to create one for quite a long time.)
please google for the theory behind these technologies but i'll try to
give a brief guide.
md5 is a checksum. a checksum is a numeric hash of a file. the idea is
that two different files will have different checksums. you use a
secure, trusted channel to learn the checksum then use the same
algorithm to calculate the checksum for the file which has been obtained
from an untrusted channel. if the checksum calculated matches then you
can conclude that the file is identical to the one that the trusted
checksum was calculated from.
in ASF terms, downloading a file from a apache mirrored and an md5
checksum from an apache server and calculating the md5 sum for that file
should allow you to determine whether the file you downloaded from the
mirror is identical to the file that the sum placed on the apache server
was calculated from.
checking the md5 sum should be a good enough guarantee for the vast
majority of users.
if you have more stringent requirements, you might also want to check
the openPGP compatible digital signature. this tells you something
different: which key was used to sign the release. if you have a public
key matching the private key used to sign the release then you can
verify the signature of the file. this tell you whether the file is
identical to the one used to create the signature. note that you can
only trust this method of verification as far as you can trust the
public key. unless your web of trust extends to the key in question,
this method may be no more secure than the md5 sum. see
http://people.apache.org/~henkp/.
in terms of implementations, i use http://www.gnupg.org for the
signatures, and openssl or md5sum for the sums.
- robert
On Sun, 2005-05-01 at 12:02 -0600, Robert Voelkerding wrote:
Please direct me to an explanation of how to use MDE and/or PGP keys to
verify downloads.
Thank you.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
