Where are the GPG Signatures?

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
  • Only post ideas here that are specifically about the Linux Mint distribution or its websites.
  • So that developers and users from any distribution can discuss ideas in one place, post ideas about improving software to the collaboration website for that software instead.
Level 1
Level 1
Posts: 1
Joined: Sun Dec 08, 2013 2:48 am

Where are the GPG Signatures?

Postby 1jX66Wtz » Sun Dec 08, 2013 3:25 am

I saw a question like this posted some while ago, but not in this section where I think it should have been.

In these days of NSA tapping international cables, hijacking downloads, and possible much much more. You only publish MD5 Hashes of the iso files. I'm sure there is some kind of internal package verification done when an install is being done, and I suspect the development team actually probably have and use the GPG signatures for your own verification purposes. So how come you don't publish them.

MD5 hashes have been known to be insecure for a long time. Fedora and even Ubuntu publish an assortment of hashes that are much more secure that MD5, and then sign them with a the Fedora or Ubuntu GPG Release Key.

This is a quote from wikipedia re: "MD5 Hashes"

..."Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable — specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum."

Please don't misunderstand, I'm not being nasty. I'm an ex-windows user, and am purposely moving away from windows for security reasons. So would just like to know why.

User avatar
Level 7
Level 7
Posts: 1861
Joined: Mon Apr 30, 2012 2:49 am
Location: FR

Re: Where are the GPG Signatures?

Postby eanfrid » Sun Dec 08, 2013 5:15 am

Those MD5 hashes are not there to authenticate the files but to ensure that the file was downloaded/written-on-disk without error. So yes, another way to authenticate the iso files is needed, since GPG is already used in the repos.

Edit: BTW Debian publishes GPG signatures, SHA-1, SHA256 and SHA512 hashes in addition to MD5 hashes.
Main desktop: Debian GNU/Linux Jessie 64bit - MATE
(i5 2400@3.7GHz - 16GB DDR3 - HD6770 w/radeon driver - SSD+RAID1)
Safer than Dropbox

Return to “Suggestions & New Ideas”