You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
NextGen currently computes hashes for some release artifacts and hosts them side-by-side with the downloadable packages from their release-hosting site. The hashes can only provide proof that a particular binary matches the hash and has therefore not been tampered-with after downloading. They do not, however, provide any authentication of the signature at all.
PGP (or GPG) signatures provide both tamper-evident hashing and authenticated signing to prove that the binary was signed by a (presumably) trusted signer. This allows binaries to be mirrored, copied, shared, etc. and signatures cannot be forged. Theoretically, hashes can be "forged" simply by updating the hash after the binary has been modified.
The text was updated successfully, but these errors were encountered:
NextGen currently computes hashes for some release artifacts and hosts them side-by-side with the downloadable packages from their release-hosting site. The hashes can only provide proof that a particular binary matches the hash and has therefore not been tampered-with after downloading. They do not, however, provide any authentication of the signature at all.
PGP (or GPG) signatures provide both tamper-evident hashing and authenticated signing to prove that the binary was signed by a (presumably) trusted signer. This allows binaries to be mirrored, copied, shared, etc. and signatures cannot be forged. Theoretically, hashes can be "forged" simply by updating the hash after the binary has been modified.
The text was updated successfully, but these errors were encountered: