[Twisted-Python] Release questions
glyph at twistedmatrix.com
Thu Apr 4 19:42:41 EDT 2013
On Apr 4, 2013, at 11:15 AM, Tristan Seligmann <mithrandi at mithrandi.net> wrote:
> In fact, I believe there is no such thing as "signing the whole binary blob". When you use something like gpg --sign, what is actually signed with a public key signature algorithm is a hash of the content anyway. Thus, assuming you use the same hash algorithm as you would have instructed gpg to use (I think the default is SHA512 these days), there isn't any real difference between signing the content directly, and signing a hash of the content.
This is my understanding as well; however, when I'm making potentially security-critical claims I try to be circumspect in describing systems I don't fully understand :).
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Twisted-Python