On Tuesday 21 Sep 2010, Rony wrote:
The whole process looks like the md5 sum generated from a Cd/DVD ISO. The md5 can be cross checked manually using md5sum. In case of emails, the regular email client of the recipient does not make any difference between a real or fake PGP signature, so what is the point in adding it? As recipients who use this feature?
As a recipient, I pay attention to security advisories that are signed by the PGP keys of the package maintainers.
As a recipient, I try to avoid stealing ideas that I first saw in a PGP- encrypted mail.
As a recipient, I know that I can send PGP-encrypted mail to senders of signed messages.
As a recipient, if my boss mails me to rm -rf / on the corporate servers, I ignore it unless it is PGP-signed.
Of course, as others have also pointed out, as a recipient I use a client that can automatically detect and validate PGP signatures, and warn me in case of problems.
Regards,
-- Raj