Hi Frederick, On Fri, Feb 27, 2009 at 2:18 PM, Frederick Hirsch <Frederick.Hirsch@nokia.com> wrote: > Marcos > > Yes, logically there would be two self contained signatures with references > to every file in the package. > > Again Policy indicates which signatures must be verified. What does the > packaging spec currently say? It says, "see Widgets Digsig Spec" :) > To date it has been one distributor spec that > must be verified. We should be clearer on this - I think this goes with the > changes we make regarding filename sorting and processing. The P&C just hands the list of signatures to the Dig Sig spec. > However if both are to be verified, and if the algorithms are the same > (which is currently the case given one hash algorithm in widget signatures) > an implementation could be smart and calculate the reference hashes once, > eliminating that overhead if it were a concern. Right, but using the same algorithms is not guaranteed. Kind regards, Marcos -- Marcos Caceres http://datadriven.com.auReceived on Friday, 27 February 2009 14:34:21 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT