dmd download sig file, how do I use it
Seb
seb at wilzba.ch
Sun Mar 25 18:57:02 UTC 2018
On Sunday, 25 March 2018 at 14:13:41 UTC, Ali wrote:
>> (Note: the individual keys in the keyring are currently
>> expired and we are working on rolling out a new keyring, but
>> that doesn't affect yverifying the existing signatures.)
>
> while you are at it, also add a sha1 or a sh256 checksum, i
> think it will work better to verify the download
Sha1 or sha256 can't be verified automatically, because it
requires you to download the checksum from the same source.
They can be used if you have checked the authenticity in another
way, but if dlang.org is compromised the attacker would also
change the checksums, but he can't change your local, verified
keyring.
For this reason, it's common for Linux distro to sign their
packages:
https://wiki.archlinux.org/index.php/Pacman/Package_signing
https://wiki.debian.org/SecureApt
More information about the Digitalmars-d-learn
mailing list