[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Absence of digital signature of TBB sources

On Thu, Apr 5, 2012 at 23:39, James Brown <jbrownfirst@xxxxxxxxx> wrote:
> And how can I check signatures of the git tags?

You need to clone the repository, since git signatures sign SHA-1
hashes of DAG nodes [1], which need to be traversed until tree root
for verification. This is also an answer to Andrew's question above:
git tags are not better than signed source tarballs for users who only
need to compile the source.

[1] http://eagain.net/articles/git-for-computer-scientists/

Maxim Kammerer
Liberté Linux (discussion / support: http://dee.su/liberte-contribute)
tor-talk mailing list