[tor-talk] Absence of digital signature of TBB sources
Maxim Kammerer
mk at dee.su
Thu Apr 5 21:22:53 UTC 2012
On Thu, Apr 5, 2012 at 23:39, James Brown <jbrownfirst at gmail.com> wrote:
> And how can I check signatures of the git tags?
You need to clone the repository, since git signatures sign SHA-1
hashes of DAG nodes [1], which need to be traversed until tree root
for verification. This is also an answer to Andrew's question above:
git tags are not better than signed source tarballs for users who only
need to compile the source.
[1] http://eagain.net/articles/git-for-computer-scientists/
--
Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)
More information about the tor-talk
mailing list