Welcome to SparkyLinux forums
Zapraszamy również na polsko-języczne Forum https://forum.linuxiarze.pl

verifying isos - signed checksums?

Started by seashore, September 29, 2015, 05:30:40 PM

Previous topic - Next topic

seashore

SparkyLinux looks great, but unfortunately I can't use it, because (it seems) the iso images published by SparkyLinux are not signed.

There are checksums provided, but as these are unsigned (and not even served over https) they are only useful for detecting accidental corruption of data, not deliberate MITM attacks.

In the current context, in which awareness of the potential for MITM attacks is higher than ever, this absence of even basic precautions is shockingly naive.

A GPG key already exists for signing SL repo packages:
http://sparkylinux.org/repo/sparkylinux.gpg.key

Would you please consider:
1. Signing each checksums file (allsums.txt) with the repo GPG key.
2. Publishing these signatures alongside the checksums files, prominently linked from the download page.
3. Making the GPG key and/or its fingerprint available over https (less important).

[if, OTOH, I'm missing something obvious and the isos are already being signed, can you make it more obvious to users where to find the signatures.]

Until then you'll be missing out on myself and many other security-concious users who could become valuable testers and developers.

Thanks!

View the most recent posts on the forum