Re: [widgets] Digsig optimization

Hi Frederick,
On Fri, Feb 27, 2009 at 2:18 PM, Frederick Hirsch
<> wrote:
> Marcos
> Yes, logically there would be two self contained signatures with references
> to every file in the package.
> Again Policy indicates which signatures must be verified. What does the
> packaging spec currently say?

It says, "see Widgets Digsig Spec" :)

> To date it has been one distributor spec that
> must be verified. We should be clearer on this - I think this goes with the
> changes we make regarding filename sorting and processing.

The P&C just hands the list of signatures to the Dig Sig spec.

> However if both are to be verified, and if the algorithms are the same
> (which is currently the case given one hash algorithm in widget signatures)
> an implementation could be smart and calculate the reference hashes once,
> eliminating that overhead if it were a concern.

Right, but using the same algorithms is not guaranteed.

Kind regards,

Marcos Caceres

Received on Friday, 27 February 2009 14:34:21 UTC