Re: signed tarballs

On Apr 13, 2017 13:28, "Christian Rebischke" <Chris.Rebischke(a)archlinux.org&gt; wrote: On Tue, Apr 11, 2017 at 10:03:54AM -0400, Steve Grubb wrote: access Thanks, but as I stated before. SHA256 and https doesn't ensure a non-malicious tarball. Only a signed tarball can achieve this. That's not true, he's providing you a detached signature via this mechanism. You just need to check the sha256sum before extraction. -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit