Where are the GPG Signatures?

Contribute ideas for future releases.
Forum rules
No support questions here please.
Suggestion & new ideas for Cinnamon go on GitHub.

Where are the GPG Signatures?

Postby 1jX66Wtz on Sun Dec 08, 2013 3:25 am

I saw a question like this posted some while ago, but not in this section where I think it should have been.

In these days of NSA tapping international cables, hijacking downloads, and possible much much more. You only publish MD5 Hashes of the iso files. I'm sure there is some kind of internal package verification done when an install is being done, and I suspect the development team actually probably have and use the GPG signatures for your own verification purposes. So how come you don't publish them.

MD5 hashes have been known to be insecure for a long time. Fedora and even Ubuntu publish an assortment of hashes that are much more secure that MD5, and then sign them with a the Fedora or Ubuntu GPG Release Key.

This is a quote from wikipedia re: "MD5 Hashes"

..."Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable — specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum."

Please don't misunderstand, I'm not being nasty. I'm an ex-windows user, and am purposely moving away from windows for security reasons. So would just like to know why.
1jX66Wtz
Level 1
Level 1
 
Posts: 1
Joined: Sun Dec 08, 2013 2:48 am

Linux Mint is funded by ads and donations.
 

Re: Where are the GPG Signatures?

Postby eanfrid on Sun Dec 08, 2013 5:15 am

Those MD5 hashes are not there to authenticate the files but to ensure that the file was downloaded/written-on-disk without error. So yes, another way to authenticate the iso files is needed, since GPG is already used in the repos.

Edit: BTW Debian publishes GPG signatures, SHA-1, SHA256 and SHA512 hashes in addition to MD5 hashes.
No, Linux is not a Windows clone for free - Before asking any question here...
"Never attribute to malice that which is adequately explained by stupidity." (Hanlon's razor)

Debian GNU/Linux Wheezy 64bit w/custom 3.12 kernel - MATE 1.8
User avatar
eanfrid
Level 6
Level 6
 
Posts: 1203
Joined: Mon Apr 30, 2012 2:49 am
Location: France


Return to Suggestions & New Ideas

Who is online

Users browsing this forum: No registered users and 8 guests