Changes between Version 3 and Version 4 of Are the packages signed

Timestamp:

Sep 20, 2012, 7:02:36 PM (11 years ago)

Author:

datallah

Comment:

Add a section about what signatures are and why they're important (snagged chunks from the Tor project's site)

Are the packages signed

@@ +1 @@
+== What is a signature and why should I check it? ==
+When you download a file from the internet, you don't have a good way of knowing if it may have been tampered with.  It's not beyond the realm of possibility that someone could release a patched version of pidgin that transparently captured your passwords and uploaded them to some server.
+
+This is where signatures come in - file signatures are very similar in concept to the idea behind signing both the back of your credit card, and a credit card receipt.  The signature is a verification that the file came from who it was expected to come from.
+
+You probably have noticed that vendors frequently don't bother to compare the signature on the receipt to the signature on the back of the card, which makes it so that anyone could have been using the credit card (let's pretend that the signature on a credit card slip isn't trivially easy to forge).  Similarly, if you don't verify the signature on a file, even if the file is signed, you don't have any confidence that it came from where it was expected to come from.
+
+Due to the nature of how signing works, an additional benefit is that if you verify the signature, you can be confident that nothing got corrupted during the download process - the file you have is exactly as it was when it was signed.
+
 == Source Tarballs ==
-The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by on of the following people:
+The source tarballs (`pidgin-$VERSION.tar.gz` and `pidgin-$VERSION.tar.bz2`) are signed with [http://www.gnupg.org/ GPG] by one of the following people:
 ||'''Signer'''||'''Key Signature'''||
 ||Mark Doliner||`4C292FCC`||