Quick to answer questions about finding your way around Linux Mint as a new user.
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions use the other forums in the support section.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
So, no, it's not useless - as you see, correct usage of gpg covers even the most out-of-the-question extreme & unlikely cases...
Thanks again. You are right, I only originally skimmed the gpg guidance briefly to get the gist but in attempting to get to grips with it this evening, I lost the will to live; it is just far, far too complex for the average (or even above average user) to deal with. I really don't understand the full implications but what I think you are saying is that to produce the correct fingerprint from a malicious file it is authenticating is almost impossible thus an incorrect file will always be flagged-up by the authentication process? If that is the case then I go back to my phrase that the authentication file is inherently self-authenticating; i.e. the correct fingerprint will not emerge from anything but the legitimate file - in this case the sha256sum.txt.
Is that interpretation correct ?
Last edited by SoapyMint on Sun Dec 31, 2017 4:21 pm, edited 1 time in total.
Yes, the fingerprint can out of mathematical reasons not get faked. At least not until now; an absolute promise for the future can never be given.
I did this afternoon while going out with my dog about the question, how the verification could be automated. I think there is a way, although only for Mint users. With the Mint system the Mint repositories are added to the system by default. There belongs to that also the gpg-key for this repository, that is a principle method for verifying the downloaded packages from there. That means, that the needed gpg-key is already on board.
My idea is, to make a package for the checksum text file. Consequently by installing it, it would get automatically verified - just as every package, that gets installed or updated. The result is a trustful checksum file, no further action is needed. The only precondition is, that the used Mint system had been verified once in the past. If this precondition is met the user could even launch the verified live system (e. g. if the current Mint installation is out what reason ever not usable), installs the checksum package and can securely use it to check a download of a Mint iso (e g. a new Mint version or another edition).
This can even more get enhanced: A package with a simple script, which excerpts the needed checkum out of the checksum file, compares it with a downloaded iso (which would be given as a parameter when launching the script) and could say in clear and understandable words: Verified OK (or in case: not OK). At now Mint has build in a tool to calculate the shasum out of a downloaded file, but it is still the duty of the user, to compare this value with the value in the checkum file; a rather cumbersome task, as a shasum is all but not user friendly to read.
I don't think that creating such a script would be a time-intensive job; packaging the checksum file is even easier to do. This would of course not help Windows users and for other distros it would at least be needed to provide a kind of official PPA for those packages, but also that should be easily doable.
Excellent work Cosmo - now if that could be made to work it would be a great improvement to download security.
I am so pleased that my inexpert blundering around has been a catalyst for such creative thinking. As a young man, one of my progress reports said "he at first might appear to be not very bright, but only because he is not afraid to ask the questions which others would not be brave enough to". I have continued in this vein throughout my 70 years.
Is there a place where one can make a formal suggestion for improvement to implement your ideas ? If so, I strongly recommend you do so - perhaps the initiative could bear your dog's name ?
As for making sure the hash wasn't changed at a hacked download location; put it in a search and you'll get dozens/hundreds of results if it's genuine or 1 or two at the max if it's not.
Big thumbs up for Cosmo's idea of adding the checksums to the repo, though, since that, maybe together with the installer creating a checksum from it's own iso and comparing the two, would basically eliminate any need for users to get involved.