Do .sig files contain information to check the integrity of files?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Do .sig files contain information to check the integrity of files?
I downloaded the following files.
Code:
total 2260
-rw------- 1 bill bill 1428776 Dec 8 22:31 avr-libc-1.8.0.tar.bz2
-rw------- 1 bill bill 72 Dec 8 22:32 avr-libc-1.8.0.tar.bz2.sig
-rw------- 1 bill bill 127217 Dec 8 22:33 avr-libc-manpages-1.8.0.tar.bz2
-rw------- 1 bill bill 72 Dec 8 22:33 avr-libc-manpages-1.8.0.tar.bz2.sig
-rw------- 1 bill bill 725852 Dec 8 22:33 avr-libc-user-manual-1.8.0.tar.bz2
-rw------- 1 bill bill 72 Dec 8 22:34 avr-libc-user-manual-1.8.0.tar.bz2.sig
There are no .md5 files here. Do .sig files contain information to check the integrity of files, besides checking authenticity? A related question would be: don't .bz2 files contain error detection code?
Could also be an OpenBSD 'signify' signature file, which also uses a '.sig' filename suffix. Or, it could be anything else for that matter: what's in a filename?... But, most likely, it's a GPG unarmored detached signature.
Usually the project maintainer or lead developer will sign their source archives with a GPG key. Not only does this verify the file is not tampered with, it also verifies the origin of the file and who it was last edited by.
md5 and sha256 check sums only verify that a file has not been edited since that specific check sum was created. Which is why many open source projects provide a GPG signature as well as a md5 checksum. I've seen sha256sums used in place of md5sums in projects where integrity is of higher value.
It has been proven that data collisions are possible with the md5 algorithm, so many projects that require higher validity of their data use the sha256 algorithm instead.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.