>
The pointlessness is why I started off by saying a valid GPG signature
makes checking the MS5sum unnecessary. (ie: only check step 1 above,
all
the rest is unnecessary.)
The more paranoid method I describe checks for inconsistencies between
the SRPM and other documentation on the SRPM (same person signed both
files which seem to both refer to the same SRPM. A double check.) In
the real world, if someone could compromise an SRPM on a server, they
could probably also compromise the md5sum file.
This stems from a piece of my original post which you snipped which
states that I was testing fedora-startqa and it verified the SRPM GPG
but then errored out because the MD5sum file wasn't up-to-date (and so
couldn't find the SRPM listed there.) From your comments here, I
think
you're planning on removing the md5sum checking so this problem
is
going
away.
> You still haven't necessarily verified the gpg signature against a
web
> of trust, which is FAR more likely to be the source of a
problem.
I'm
> not really involved with any of these (webs of trust), but when
we
> convert the script over to checking RPM sigs using GPG (imminent) we
can
> indicate whether or not the signature that passed was a
"trusted"
one in
> your review accounts gpg keyring.
>
Yes, distributing trust is the real tricky problem of gpg.
Cool. Looks like we are on the same page here then. My current
inclination is to require a valid gpg signature, but check md5sums if
possible and note to the user if anything is inconsistent. It certainly
wouldn't hurt to also check that the md5sums they are signed by the same
key as the SRPM, although I doubt many crooks will be caught by it :)
--erik