4 Apr
2006
4 Apr
'06
13:05
On Tue, Apr 04, 2006 at 02:44:25PM +0200, Ulrich Windl wrote:
Hi,
having the (public) signing key on the same media as signed data doesn't add much security, but I'm sure you know. As a poor man's compromise, you could add a md5sum file for every directory, and clear-sign that. That way people could check the MD5 sums the simple way, and if they want to be sure, they can check the signature of the md5sum file(s). I'm using that method for some projects...
Thats why you can get those keys from other sources and cross check from them too. It would have been worse to do no signing at all ;) As for the MD5SUMs, its a good idea too. Ciao, Marcus