On Tue, 10 Feb 2004, Yutaka Sato wrote:
> On 02/09/04(22:51) you Steffen Kaiser <firstname.lastname@example.org>
> |what's the delegate**.tar.sign file for? It is not recognized by the gpg
> |--verify *.sign, for instance.
> It is a string representing "delegateX.Y.Z.tar MD5(delegateX.Y.Z.tar)"
> signed with my RSA private-key. You can get the verified plain text
> using DeleGate (in which my public-key is embedded, after DeleGate/8.9.0)
> like this:
> % delegated -Fverify delegate8.9.1.tar.sign
> delegate8.9.1.tar 913a71c69558ecdfaa587f142f191cda
Hmm, OK. It's not in the docs -- at least I didn't found it.
I had expected a PGP signature, as it is wide spread and does not have the
hen-and-egg problem (you need a compiled & running delegate before you can
verify its correctness -- the same applies to gpg by itself, but most
systems come with a trustworthy gpg pre-compiled).