(fwd from jerry@theashergroup.com) Suggestion: describe (or link to) how to verify your distributions

Steve Langasek vorlon at netexpress.net
Fri Nov 22 22:04:01 GMT 2002

On Fri, Nov 22, 2002 at 03:16:09PM -0600, David W. Chapman Jr. wrote:
> On Fri, Nov 22, 2002 at 01:08:39PM -0800, Martin Pool wrote:
> > Yeah, sure, but:

> >  What does this all mean?  Why should I care?

> >  Where do I get GPG?

> >  Where do I get the samba codesigning key?  How do I import it?   How
> >  do I know I got the right one?

> >  What do I do if it doesn't verify?

> I always wondered if someone uploaded a tarball with a trojan, what's 
> preventing them from updating the .asc file as well?

It's a cryptographic signature that can only be produced using a specific
key.  Assuming that the key belongs to the party whose name is on it, and
assuming that the key is well-protected from theft, and assuming that the
algorithms used by PGP haven't been broken, you can be assured that the
signature was made by the person it claims to have come from.

Asking about, I've been pointed to <http://gnupg.org/gph/en/manual.html>
as a general intro to GPG.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20021122/e4c1915f/attachment.bin

More information about the samba-technical mailing list