Where are the GPG Signatures?

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
No support questions here please.
No ideas for application developers here please. For example instead use GitHub for Cinnamon and Nemo.

Where are the GPG Signatures?

Postby 1jX66Wtz on Sun Dec 08, 2013 3:25 am

I saw a question like this posted some while ago, but not in this section where I think it should have been.

In these days of NSA tapping international cables, hijacking downloads, and possible much much more. You only publish MD5 Hashes of the iso files. I'm sure there is some kind of internal package verification done when an install is being done, and I suspect the development team actually probably have and use the GPG signatures for your own verification purposes. So how come you don't publish them.

MD5 hashes have been known to be insecure for a long time. Fedora and even Ubuntu publish an assortment of hashes that are much more secure that MD5, and then sign them with a the Fedora or Ubuntu GPG Release Key.

This is a quote from wikipedia re: "MD5 Hashes"

..."Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable — specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum."

Please don't misunderstand, I'm not being nasty. I'm an ex-windows user, and am purposely moving away from windows for security reasons. So would just like to know why.
1jX66Wtz
Level 1
Level 1
 
Posts: 1
Joined: Sun Dec 08, 2013 2:48 am

Linux Mint is funded by ads and donations.
 

Re: Where are the GPG Signatures?

Postby eanfrid on Sun Dec 08, 2013 5:15 am

Those MD5 hashes are not there to authenticate the files but to ensure that the file was downloaded/written-on-disk without error. So yes, another way to authenticate the iso files is needed, since GPG is already used in the repos.

Edit: BTW Debian publishes GPG signatures, SHA-1, SHA256 and SHA512 hashes in addition to MD5 hashes.
Main desktop: Debian GNU/Linux Wheezy 64bit w/custom 3.14 longterm kernel - MATE 1.8.1
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
True private storage on SpiderOak
User avatar
eanfrid
Level 7
Level 7
 
Posts: 1786
Joined: Mon Apr 30, 2012 2:49 am
Location: FR


Return to Suggestions & New Ideas

Who is online

Users browsing this forum: No registered users and 5 guests