[Bug-tar] pgp signatures

bug-tar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-tar] pgp signatures

From:	Timo Sirainen
Subject:	[Bug-tar] pgp signatures
Date:	Wed, 13 Aug 2003 23:50:41 +0300

This ftp.gnu.org breakin again brings to my mind that it should be mucheasier to check file signatures. There is of course the .asc signaturesthat people distribute, but how many people actually verify them? Notmany since it always takes extra time. At least doubles the effort toget something unpacked.

Most software is distributed with tar, and a lot of people use GNU tar,so why not create some GNU extension for it? You could still have the.asc signatures, but you could also have automatic signature checkingassuming your system is correctly configured (which is a job fordistributions).

I was thinking a very simple and backwards compatible change. Signingwould basically do:


tar cf file.tar stuff
gpg --sign file.tar > signature.pgp
tar rf file.tar signature.pgp

Whenever extracting notices signature.pgp file, it would feed all databefore that file (plus the terminating zero blocks) to gpg --verify. Ifthere's any files after signature.pgp, it would issue a warning andwould not uncompress those without some --force-insecure option.

signature.pgp filename should probably be changed. Maybe it could bemarked in some special way too.

The actual signing and verifying would be done by reading commands todo that from /etc/tar.conf or something, so tar would do very littleactually.

[Prev in Thread]

Current Thread

[Next in Thread]

[Bug-tar] pgp signatures, Timo Sirainen <=

Prev by Date: [Bug-tar] Re: tar: incremenatal backup
Next by Date: [Bug-tar] problem when extracting from a gnu tar file on Win2000.
Previous by thread: [Bug-tar] Re: tar: incremenatal backup
Next by thread: [Bug-tar] problem when extracting from a gnu tar file on Win2000.
Index(es):
- Date
- Thread