Thread: BUG - Calibre 2.52.0 (and some earlier) installers fail digital signature check
View Single Post
Old 02-28-2016, 11:06 AM   #7
kovidgoyal
creator of calibre
kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.kovidgoyal ought to be getting tired of karma fortunes by now.
 
kovidgoyal's Avatar
 
Posts: 45,460
Karma: 27757440
Join Date: Oct 2006
Location: Mumbai, India
Device: Various
Quote:
Originally Posted by eschwartz View Post
(Hmm, I wouldn't mind if the release tarballs were also signed -- always a good thing and even more so before the relatively recent HTTPS downloads courtesy of LetsEncrypt.)
The reason I dont sign tarballs is because there is no way to embed the signature in the tarball and have it be verified seamlessly (that I know of).

That means only the very paranoid will ever end up downloading the separate signature, and verifying it. Given that the vast majority of linux users should be using the binary installers, which are already verified via a securely downloaded sha512 hash, and the git sources are already signed, that means that signing source tarballs is effort for relatively little gain.
kovidgoyal is offline   Reply With Quote