On 7/25/2018 7:40 AM, Andrew McGlashan wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 25/07/18 04:31, john doe wrote:
Also verifying signature using gnupg and checksum is a must
(sha512).
Such verification is suspect, anyone can create gpg keys for anyone
(so trust in the keys used is essential, but more difficult to attain)
Yes, that is why the web of trust is for.
https://en.wikipedia.org/wiki/Web_of_trust
and if you download "supporting" files from a site, then the checksums
and signatures can verify perfectly well ..... but the product is
still suspect.
You are correct, all relise on the web of trust, which has also flaws.
Checksum will only insure that the file is properly transfered (not
corrupted).
https://en.wikipedia.org/wiki/Checksum
--
John Doe
