OK, I guess I know too less about PGP. So, if someone does not have the private key, they cannot provide the right signature. So even if you download the signature and the file from a fake page, you would notice by checking the authenticity. Is that right?
Thanks again. :-) 2011/9/23 <[email protected]> > On 23/09/11 15:10, Michael Gomboc wrote: > > > Thanks Andrew. But when the SSL certificate is faked.... > > If you have the public key which corresponds to the private key which > was used to create the signature, then it doesn't matter if the SSL > certificate is faked. Even using non-SSL http would be fine. > > https://www.torproject.org/docs/verifying-signatures. > hhtml<https://www.torproject.org/docs/verifying-signatures.html> > > If the file, or the signature file you download are tampered with, doing > this verification will alert you to that fact. > > -- > Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc > Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell > PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F > > > _______________________________________________ > tor-talk mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > > -- Michael Gomboc * *pgp-id: 0x5D41FDF8
_______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
