Quote:
Originally Posted by rtmistler
tar creates an archive, and can embed any file within that archive.
Create your digital signature file and then add it to your tar archive, using tar.
|
The problem being, when you include the signature in the tar after having signed the tar... the resulting tar file is not the signed tar-file...
Put another way: Someone who returns from work late in the evening or someone who has not yet got his second coffee might try to test a signature on the *
original* tar-file after having extracted only the signature (as a copie). This attempt has to fail.
Signing files selectively, -only a few of them that you consider important-, could be a solution. I prefer the approach that I mentioned above : Sign your tar file and put the signature together with the tar file *
inside* another archive. This is so simple to comprehend that even half asleep, I might get the right idea when confronted to such a file.
Others will say, it lacks sophistication.