On 2024-02-09 18:26, Paul Eggert wrote:
On 2024-02-09 14:20, brian.inglis--- via tz wrote:
On 2/8/24 06:21, Martin Burnicki via tz wrote:
For higher security the file should be signed using a public key certificate ...
You can check leap-seconds.list sha1
That SHA1 checksum merely checks for data corruption. Martin was asking for a signature via a public key certificate. Such a signature also verifies that the sender is not some random attacker; this is a stronger guarantee than a checksum. This is why TZDB releases have signed tags on GitHub and why release announcements contain the tarballs' PGP signatures.
I am aware of that, and was suggesting all we can do for now with the current distribution: using https:// as you suggested, sha1 check, and eyeball diff (-b) in case of site hacks. I left the remainder of the post intact with information of useful additions. I previously suggested to the folks at IERS they include an additional updated hash (#H?) or detached signature, when providing feedback on leap-second files issued with expiry dates earlier than the issue date of the next Bulletin C. Currently document digital signature certs appear to be restricted to structured document types to which a digital signature subtype can be added e.g. PDF/*Office. It appears that only a generic cert for hpiers.obspm.fr could be used to create a detached (armored) signature. -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry