digital signatures for SHASUMS, where?
Dear List, Could anyone kindly tell me where I can find any digital signatures that belong to the SHA1SUM or other hashes of the downloadable .iso files (installer and live ISO)? Since the ISO files have to be downloaded through an unencrypted FTP or HTTP connection along with their hash files, both could easily be manipulated and changed on the way to the user's machine. What am I missing here? Thanks!
Re: digital signatures for SHASUMS, where?
Hi William, Thanks for the suggestion, but actually that's not what I'm looking for. When I download an ISO, I also download the SHA1SUM file too to check the integrity of the ISO file. But because these 2 files come down through an unencrypted line, I cannot be sure that nobody has tempered with both of them at the same time, changing the ISO file, and then change the SHA1SUM file too to make it match the file. AFAIK other Linux distros do sign their SHA or MD5 summary files, like for example Debian, here: http://cdimage.debian.org/debian-cd/6.0.4/amd64/iso-cd/ Once I stored the GPG key, then check the signatures with it after all. The SUMS keep changing, but the keys don't. I think it's practical, hence the reason I wanted to figure this out. Thanks. Andras On Tue, 28 Feb 2012 02:04:56 -0800 (PST) William Shu wrote: > Dear Horvath, > I suppose you mean values for Scientific Linux iso's? They are found > in the relevant iso directories. For example: > http://ftp1.scientificlinux.org/linux/scientific/6.1/i386/iso/SHA1SUM > http://ftp1.scientificlinux.org/linux/scientific/6.1/x86_64/iso/SHA1SUM > > > William. > > > > > > > > From: Horvath Andras > >To: scientific-linux-us...@fnal.gov > >Sent: Tuesday, February 28, 2012 8:39 AM > >Subject: digital signatures for SHASUMS, where? > > > >Dear List, > > > >Could anyone kindly tell me where I can find any digital signatures > >that belong to the SHA1SUM or other hashes of the downloadable .iso > >files (installer and live ISO)? > > > >Since the ISO files have to be downloaded through an unencrypted FTP > >or HTTP connection along with their hash files, both could easily be > >manipulated and changed on the way to the user's machine. > > > >What am I missing here? > > > > > >Thanks! > > > > > >
Re: digital signatures for SHASUMS, where?
On Tue, 28 Feb 2012 06:56:38 -0500 Nico Kadel-Garcia wrote: > On Tue, Feb 28, 2012 at 6:44 AM, Horvath Andras > wrote: > > > Hi William, > > > > Thanks for the suggestion, but actually that's not what I'm looking > > for. > > > > When I download an ISO, I also download the SHA1SUM file too to > > check the integrity of the ISO file. But because these 2 files come > > down through an unencrypted line, I cannot be sure that nobody has > > tempered with both of them at the same time, changing the ISO file, > > and then change the SHA1SUM file too to make it match the file. > > > > AFAIK other Linux distros do sign their SHA or MD5 summary files, > > like for example Debian, here: > > http://cdimage.debian.org/debian-cd/6.0.4/amd64/iso-cd/ > > > > Once I stored the GPG key, then check the signatures with it after > > all. The SUMS keep changing, but the keys don't. > > > > I think it's practical, hence the reason I wanted to figure this > > out. > > > > Thanks > > > Oh, yeah, OK. What' you're referring to has little to nothing to do > with encryption of the channel. It's *provenance* of the ISO image and > checksums, establishing that the binary material on the mirror server > is, in fact, that provided by our faithful software authors. > > In this case, you can get the checksums from the primary website at > http://ftp.scientificlinux.org/linux/scientific/, and get the iso > files anywhere you want. I still think it's a good idea to add this, > though, just as the RPM's themselves are GPG signed. That's what I follow currently, but the question still persists: The primary website is a plain unencrypted http too, so it is easy to modify the data on the gateways during the download. I understand that I cannot even make sure to get the right GPG key if I try to get it from anywhere the web without contacting the person. But since the SHASUMS keep changing constantly and the GPG keys probably don't (or very rarely) - I would believe it more safety.
Re: digital signatures for SHASUMS, where?
On Tue, 28 Feb 2012 13:25:54 + David Crick wrote: > Signed SHA*SUMs did briefly appear on the main and > mirror download sites for the installation ISOs. > > However, once the Live ISOs were uploaded, its > (unsigned) SHA*SUMs were merged with the install > ISOs' SHA*SUMs, and replaced with a single UNsigned > file. > > I did retrieve a copy of the signed SHA256SUM file > for the install ISOs before it was replaced, and include > it below. The sha256sum hashes match the hashes > that are in the replacement unsigned files, and the > digital signature on the signed file included below did > verify. (My mailer and/or this mailing list may mangle > the below file - there should be NO line breaks between > the end of the sha256sum, which is followed my two > spaces, and then the ISO file name.) > >David. > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > 13dc08249d0c1e7885a9f304e6ae510737112bcf593e875a71b81feff1fd37a1 > SL-62-x86_64-2012-02-06-Everything-DVD1.iso > 5a039a53d8cba4b972c720ba58865b47656d6c1aa80b44b83aeb046983df92f0 > SL-62-x86_64-2012-02-06-Everything-DVD2.iso > d41c280f46c6239619384170df74639c19813a4a86f011fa6f15e546e8874279 > SL-62-x86_64-2012-02-06-boot.iso > 48b6af8d71c272591cea37c99e7c67d310b352ef00a5d4ac2b2563fbb90a2f9b > SL-62-x86_64-2012-02-06-Install-DVD.iso > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEARECAAYFAk8xQx8ACgkQsLQYPxkqfX1e8QCeMsza0Udokn050GFaMOhnUT9x > DlYAn2ny/nM05iA8EDPhxEOHEHkwu2uo > =ImgV > -END PGP SIGNATURE- Thank you very much for the signed hash, I could successfully extract it and check the signature! So you're saying that it is common that the developers sign the SHASUM files? And now the files got overwritten? Could this be an accident then? As I saw, the Live .iso files get updated from time to time, so it would be practical to always have signed hash files. I'm not familiar with the whole process, I've been using SL only for a couple of months now (gratefully thanks to the devs!), excuse any of my inconvenient questions! Andras
Re: Scientific Linux 7 ALPHA
A question: Will the point releases of SL7 be supported long term separatly as it was on SL6 (unlike on CentOS) ?