[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Mon Nov 19 23:03:50 CET 2012

On 11/19/12 11:01 PM, Daniel Holth wrote:
> Unfortunately the whole signed mirror system falls down because it 
> relies on md5 hashes (http://www.kb.cert.org/vuls/id/836068) although 
> the signing key seems to be long enough. What would it take to get 
> SHA-2 (or 3) added? 
No, the mirroring protocol use SHA 

The md5 hash is only a crc-check added in the tarball url

More information about the Catalog-SIG mailing list