[tor-talk] Absence of digital signature of TBB sources

Maxim Kammerer mk at dee.su
Thu Apr 5 21:22:53 UTC 2012

On Thu, Apr 5, 2012 at 23:39, James Brown <jbrownfirst at gmail.com> wrote:
> And how can I check signatures of the git tags?

You need to clone the repository, since git signatures sign SHA-1
hashes of DAG nodes [1], which need to be traversed until tree root
for verification. This is also an answer to Andrew's question above:
git tags are not better than signed source tarballs for users who only
need to compile the source.

[1] http://eagain.net/articles/git-for-computer-scientists/

Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)

More information about the tor-talk mailing list