Hi,
if I shouldn’t miss something, no PGP-signed checksums are provided to check integrity of a downloaded image. Is there another way to check integrity of an image or at least of the install?
Regards,
Ralf
If I’m not mistaken, you can check the integrity of the image download with a SHA256 hash checksum. Look on the download page.
The checksums aren’t signed.
I see your point.
I was thinking in terms of file corruption. You are thinking in terms of security.
the sha256 sum should be enough, just set your img burn app to create a sum if they match you know, if not then either download failed or something weird with img. I personally don’t bother with this.
Enough for some people, not enough for others. It depend upon how secure you want to be.
pretty easy to hack, change files, change sums, so either way.
That is why, for security concerns, a PGP digital signature is better. The PGP signature can’t be modified, assuming it is used properly.
PGP keys are stored on key servers, most key servers are uni’s that probably don’t check for security issues for yrs. Pretty easy for them to get taken. Even if you have your keys local you need to send them the pub key making PGP a little more than a pain.
Hi, I don’t want to discuss details about real pitfalls of OpenPGP, however, there’s a difference between existing pitfalls and spreading FUD.
A few pointers:
“Warning: You should verify the authenticity of the retrieved public key by comparing its fingerprint with one that the owner published on an independent source(s) (e.g., contacting the person directly). See Wikipedia:Public key fingerprint for more information.” - GnuPG - ArchWiki
See also Wikipedia:Web_of_trust.
My apologies, but as a new user, I’m only allowed to post 2 links.
If the keys are used properly, the signature can be checked for modification, even if it is years old. Proper use is where the web of trust comes into play.
Of course, if it isn’t used properly, it does not enhance security.
Why not? I am hoping this forum isn’t like FreeNode where each topic needs a channel and each sub topic of the main topic needs another # and that one in return needs another #.
It is possible to revoke a key and apart from this keys could expire. IOW rotation is helpful to increase security.
Keyservers are maintained, synced by a special protocol.
The web of trust is hardly realisable, at least not, if a user spontaneously decides to build software from upstream, unlikely each spontaneously retrieved key is part of one’s trusted keys, but checking fingerprints from different sources is possible.
Even without a web of trust or even without at least verifying fingerprints from different sources, a signed checksum is still more reliable, than a checksum that isn’t signed.
It often happens, that upstream homepages get hacked, replacing a source code, binary or image and the related checksums is possible and likely happens sometimes. It’s also possible to provide signed checksums and a public key pretending to be owned by the one providing the software, while it’s not owned by this person, but this is less likely going to happen, since the keys are provided by separated locations and fingerprints to verify the owner, are often spread all over the internet, e.g. somebody posted it by a mailing list and subscribers confirm correctness, so somebody would need to hack the mailing list archive and all the copies of the mailing list archive, spread all over the internet, too and where ever else fingerprint information is available and confirmed.
So at least for making downloads of source code, binaries or images more secure, not 100% secure, using signed checksums is reasonable, even if the public key isn’t verified correctly.
I don’t rely on OpenPGP to encrypt or sign emails, since most users aren’t security geeks, so they anyway would store their private key in an insecure way and/or they store unencrypted mails on an insecure computer etc., using OpenPGP for this purpose does only work, if all users would know what they are doing. For this purpose correct usage is way more important.
Disclaimer: Just my 2 Cents.
1 Like