On Tue, Feb 28, 2012 at 6:44 AM, Horvath Andras <m...@log69.com> wrote:
> Hi William, > > Thanks for the suggestion, but actually that's not what I'm looking for. > > When I download an ISO, I also download the SHA1SUM file too to check > the integrity of the ISO file. But because these 2 files come down > through an unencrypted line, I cannot be sure that nobody has tempered > with both of them at the same time, changing the ISO file, and then > change the SHA1SUM file too to make it match the file. > > AFAIK other Linux distros do sign their SHA or MD5 summary files, like > for example Debian, here: > http://cdimage.debian.org/debian-cd/6.0.4/amd64/iso-cd/ > > Once I stored the GPG key, then check the signatures with it after all. > The SUMS keep changing, but the keys don't. > > I think it's practical, hence the reason I wanted to figure this out. > > Thanks > Oh, yeah, OK. What' you're referring to has little to nothing to do with encryption of the channel. It's *provenance* of the ISO image and checksums, establishing that the binary material on the mirror server is, in fact, that provided by our faithful software authors. In this case, you can get the checksums from the primary website at http://ftp.scientificlinux.org/linux/scientific/, and get the iso files anywhere you want. I still think it's a good idea to add this, though, just as the RPM's themselves are GPG signed.
