12 Feb
2019
12 Feb
'19
7:45 p.m.
On 2019-02-12 12:42:27 -0500 (-0500), Wes Turner wrote: [...]
- cryptographically sign the SHA-256 checksums with a key and retrieve the corresponding key over a different channel [...]
If you're going to use asymmetric cryptography with PKI to sign something, you might as well just directly sign (a hash of) the package file rather than merely signing (a hash of) its checksum. Either way you're relying on the strength of your signing implementation, so also having to rely on the strength of the checksum is just added potential weakness and complexity. -- Jeremy Stanley