…of a file’s SHA256 fingerprint? If I have my terminology correct here…

  • colournoun@beehaw.org
    link
    fedilink
    English
    arrow-up
    7
    ·
    2 years ago

    In other words, if the sha matches, then it wasn’t corrupted during downloading. If the signature matches, then it wasn’t tampered with before you downloaded it.

    There’s also a third check. Even if the certificate signature is valid, you have to have confidence that the certificate is authentic and trusted to be from the original author. This is usually done by having a trusted third party sign the certificate with another, more trusted, certificate.

    • manitcor@lemmy.intai.tech
      link
      fedilink
      English
      arrow-up
      5
      ·
      2 years ago

      really its just different trust root authorities presuming we are still talking pk distribution infra involved here. alice and bob can of course always trade keys in other ways. if its distributed you have to root trust with a ledger (trust area: key ceremony, consensus protocol) or a CA (trust area: the CA chain, every step is another element of trust)