[tor-bugs] #2340 [Tor bundles/installation]: GPG signatures do not authenticate filenames
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Jan 9 21:35:32 UTC 2011
#2340: GPG signatures do not authenticate filenames
--------------------------------------+-------------------------------------
Reporter: rransom | Owner: rransom
Type: defect | Status: needs_review
Priority: critical | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Parent:
--------------------------------------+-------------------------------------
Changes (by nickm):
* status: assigned => needs_review
Comment:
I just uploaded a shell script that takes a package file as its argument
and generates a clearsigned document giving the package name, the package
version, the correct SHA256 digest, and some basic verification
instructions.
I've tested it with Tor source distributions; it might need more smarts to
properly grab package names and version numbers from other things. It
surely needs more human-friendly instructions.
If we like it, we can stick it into contrib/ and use it to sign all our
stuff.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2340#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list