<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Apr 4, 2013, at 11:15 AM, Tristan Seligmann <<a href="mailto:mithrandi@mithrandi.net">mithrandi@mithrandi.net</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div class="gmail_quote" style="font-family: Menlo; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; ">In fact, I believe there is no such thing as "signing the whole binary blob". When you use something like gpg --sign, what is actually signed with a public key signature algorithm is a hash of the content anyway. Thus, assuming you use the same hash algorithm as you would have instructed gpg to use (I think the default is SHA512 these days), there isn't any real difference between signing the content directly, and signing a hash of the content.<br></div><span style="font-family: Menlo; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none; "></span></blockquote><br></div><div>This is my understanding as well; however, when I'm making potentially security-critical claims I try to be circumspect in describing systems I don't <i>fully</i> understand :).</div><div><br></div><div>-g</div></body></html>