WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: GPG digital signature  (Read 3019 times)

Offline Okajima

  • Newbie
  • *
  • Posts: 13
GPG digital signature
« on: May 20, 2009, 11:07:05 AM »

Current tce/tcz are installed without public key integrity checking
(Just only MD5SUM).

I think this is problem.
especially, when  "third party tcz" comes, ( and I hope it does soon),
this makes big issue.

I propose that an activeX style pop up,
something like
"With checking of digital signature,
  the publisher says this software is safe.
  Only if you trust the publisher, Click OK".
... this kind of pop up is necessary.

Your opinion is...?

You plan to add GPG( or alike) checking in the *near* future?
If not, how you guarantee security of TCE/TCZ?

--- Okajima, Jun. Tokyo, Japan.

Offline notfed

  • Newbie
  • *
  • Posts: 5
Re: GPG digital signature
« Reply #1 on: June 09, 2009, 12:46:39 PM »
While I do agree that there might be benefits to digital signatures in extensions, I cringe at the idea of an "ActiveX style pop up," or anything like that.  There are plenty of secure means to authenticate a package...(clicking "OK" is (IMHO) just another layer of false security.)

Using an MD5 checksum is really all that is needed, but then the problem becomes validating the checksum.  Well, since (with Tiny Core) there is a small, definite list of packages, all authentication could theoretically come down to a single, digitally signed list of MD5 checksums.  That way it could be verified through a script, and not present any extra effort by the end user.   

Since I do think it's an important issue, I'm interested in hearing alternative ideas.