William Hooper wrote:

John Burton said:
[snip]

As far as signing packages vs. signing meta-data... Digital signatures
are like real signatures, you want to make sure they are actually attached
to what you are signing.

[snip]

IIRC the discussion was that signed meta-data would have the signatures
attached to the MD5sums of the packages.  The MD5sums of the download
could then be checked against the meta-data, verifying that the package is
the same as the package used to create the meta-data.

I didn't catch that particular detail earlier, but that would be fine. Like I said, as long as changing the package invalidates the signature then the purpose is serverd

John