Urias McCullough <umccullough@xxxxxxxxx> schrieb: > I don't understand how that's significantly different from simply > maintaining hashes of all the binaries in our source control and > verifying them during download. There's really no need to sign them > assuming we trust devs who have commit access already. The advantage of signing over a simple hash is that it depends on the private key, which is well, private. An attacker who could gain access to our package repo server could simply exchange the binaries and change the hashes. It's also easy to do a man-in-the-middle attack, changing these things on the fly. Both attack scenarios don't work with signing: without access to the private key (which needs to be guarded closely), the attacker cannot generate a valid signature. All he could do is exchange the package containing the public CA certs, so new installations could be compromised... but everyone doing an update on an older system would immediately notice that things are wrong. -- So long, jua