Re: [ft-devel] DSIG - Re: Freetype-devel Digest, Vol 130, Issue 8

[Werner LEMBERG]

>> But I think signing is a good thing - not from the security point
>> of view, but of making font designers (or rather, font modifiers)
>> less callous about doing ad hoc modification of fonts. I think
>> requiring signing - or even just *showing* the DSIG status - of
>> fonts would improve the general quality of them.
> 
> There's water under that bridge already.  Neither WOFF nor WOFF2
> maintain the exact byte sequence in a font.

And integrity checks at installation time can be easily done with an
external MD5 or sha256 checksum, which is far easier to handle.


    Werner