On Tue, 28 Feb 2012 06:56:38 -0500 Nico Kadel-Garcia <nka...@gmail.com> wrote:
> On Tue, Feb 28, 2012 at 6:44 AM, Horvath Andras <m...@log69.com> > wrote: > > > Hi William, > > > > Thanks for the suggestion, but actually that's not what I'm looking > > for. > > > > When I download an ISO, I also download the SHA1SUM file too to > > check the integrity of the ISO file. But because these 2 files come > > down through an unencrypted line, I cannot be sure that nobody has > > tempered with both of them at the same time, changing the ISO file, > > and then change the SHA1SUM file too to make it match the file. > > > > AFAIK other Linux distros do sign their SHA or MD5 summary files, > > like for example Debian, here: > > http://cdimage.debian.org/debian-cd/6.0.4/amd64/iso-cd/ > > > > Once I stored the GPG key, then check the signatures with it after > > all. The SUMS keep changing, but the keys don't. > > > > I think it's practical, hence the reason I wanted to figure this > > out. > > > > Thanks > > > Oh, yeah, OK. What' you're referring to has little to nothing to do > with encryption of the channel. It's *provenance* of the ISO image and > checksums, establishing that the binary material on the mirror server > is, in fact, that provided by our faithful software authors. > > In this case, you can get the checksums from the primary website at > http://ftp.scientificlinux.org/linux/scientific/, and get the iso > files anywhere you want. I still think it's a good idea to add this, > though, just as the RPM's themselves are GPG signed. That's what I follow currently, but the question still persists: The primary website is a plain unencrypted http too, so it is easy to modify the data on the gateways during the download. I understand that I cannot even make sure to get the right GPG key if I try to get it from anywhere the web without contacting the person. But since the SHASUMS keep changing constantly and the GPG keys probably don't (or very rarely) - I would believe it more safety.