Edgar Pettijohn wrote in <[email protected]\ .org>: |On Jan 3, 2020 8:21 AM, Justin Sherrill <[email protected]> wrote: |> |> On Fri, Jan 3, 2020 at 4:51 AM Michael Neumann <[email protected]> wrote: |>> Given that your private key stays secured this adds another layer of |>> security. Right now, even using SHA256 checksums would be no more secure |>> in case you download the checksum file (md5.txt or sha256.txt) from the |>> same mirror server as the file itself. |>> |>> If you need help setting this up, please let me know. |> |> This is a good idea, and a very helpful writeup. I'm low on time (as |> is everyone, always) but I'm not working this weekend - let me see how |> far I get. | |Don't forget to post the public key and the hash of the key and sign \ |the key and arrange delivery of the key by armed escort to everyone \ |wishing to download it to ensure security.
The CRUX Linux distribution switched from MD5 hashs to signify. Compared to GPG this is _very_ small and easy, and only meant for exactly this purpose. Mind you, i for one could live with improved OpenSSL tools -- they have the theoretical capability to cover TLS / S/MIME / file checksumming and more, even multiple of the latter in batch. Unfortunately that is not true in practice. (And i won't be the one who implements it.) Leah Neukirchen maintains up-to-date portable code on github, not only of that. Please let me, as a non-mathematician non-cryptographer, wonder how unsafe MD5 for the purpose of file-checksumming really is. --End of <[email protected]> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
