[Catalog-sig] getting the public key when --sign is used

Daniel Holth dholth at gmail.com
Mon Nov 19 23:06:17 CET 2012

On Mon, Nov 19, 2012 at 5:03 PM, Tarek Ziadé <tarek at ziade.org> wrote:

> On 11/19/12 11:01 PM, Daniel Holth wrote:
>> Unfortunately the whole signed mirror system falls down because it relies
>> on md5 hashes (http://www.kb.cert.org/vuls/**id/836068<http://www.kb.cert.org/vuls/id/836068>)
>> although the signing key seems to be long enough. What would it take to get
>> SHA-2 (or 3) added?
> No, the mirroring protocol use SHA http://www.python.org/dev/**
> peps/pep-0381/#mirror-**authenticity<http://www.python.org/dev/peps/pep-0381/#mirror-authenticity>
> The md5 hash is only a crc-check added in the tarball url

The last step is just a bit outdated, that's all. To me it would seem quite
harmless to change it to SHA-256 or better.

   1. download the /simple page, and compute its SHA-1 hash
   2. compute the DSA signature of that hash
   3. download the corresponding /serversig, and compare it (byte-for-byte)
   with the value computed in step 2.
   4. compute and verify (against the /simple page) the MD-5 hashes of all
   files they download from the mirror.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/a175d104/attachment.html>

More information about the Catalog-SIG mailing list