Comment 13 for bug 1536871

Hi Richard, thanks for the reply.

This is quite unusual but the demands on our time are growing and it'd help me immensely if you could aim me towards the methods that:

- verifies the firmware.xml.gz file

- verifies the contents of firmware.inf and firmware.metainfo.xml files within the cab files

Please do also switch to SHA-256 or SHA-512, both in whatever explicit checks you're using and in the GnuPG signatures. (gpg --list-packets < foo.gpg.asc | grep digest -- 2 is SHA-1, 8 is SHA-256, 10 is SHA-512)

We recently switched APT to requiring SHA-512 signatures and I think firmware updates deserve parity with software updates.

Thanks