15 Feb
2014
15 Feb
'14
10:10 a.m.
Hi Roman,
I suppose that SHA hashes are meaningless unless they are PGP-signed by, say, Austin?
well, there are shades of gray. Technically speaking, even PGP-signatures are meaningless unless you've personally verified the fingerprint of the PGP-key that signed the release with the owner of the key. If you didn't do that, you cannot trust the key, and hence its signature doesn't mean anything. In practice, however, a valid PGP-signature *does* add some security. It's not 100% secure, but it's certainly better than no signature at all. The same applies to publishing hashes. A published hash is no guarantee that the binary is authentic, but having one is certainly better than *not* having one. Right? Take care, Peter