Tiny Core Linux

General TC => General TC Talk => Topic started by: SeaDude on September 30, 2015, 10:12:09 PM

Title: .iso checksums AND .sig
Post by: SeaDude on September 30, 2015, 10:12:09 PM

I'm stoked on trying out TCL. Just a recommendation:

The security conscious will be looking for a more robust checksum listed than MD5 (at least SHA1). They would also be looking for a .sig file and a PGP Public Key Fingerprint to ensure that .iso's downloaded have not been tampered with and are authentic.

You may want to link to the download directory on this page: http://tinycorelinux.net/downloads.html since there are no checksums listed here and once clicked, the .iso just downloads. I had to go to the forums to find the download directory.

Title: Re: .iso checksums AND .sig
Post by: gerald_clark on September 30, 2015, 10:50:41 PM
The release files links are right on the page you posted.
Title: Re: .iso checksums AND .sig
Post by: SeaDude on September 30, 2015, 11:34:57 PM
You're right. I didn't explore enough, my fault.

I was just surprised when my download started immediately without the words "Checksum" nearby.
"Core-86 Release Files" didn't scream "I'm a directory with .iso's and md5's inside"; I think "release notes" when I read it.

Just as a heads up, the .iso titles here: http://tinycorelinux.net/downloads.html and here: http://tinycorelinux.net/6.x/x86/release/ don't match. I know that the former are "current" and portrayed in a much more appetizing way.

Found more info here: http://wiki.tinycorelinux.net/wiki:md5sum

Still looking for a "tiny linux" signed md5 and your PGP Public Key Fingerprint.

All good, being active, no slammies.

Title: Re: .iso checksums AND .sig
Post by: curaga on October 01, 2015, 02:23:33 AM
Yes, a rogue mirror or someone close to you could tamper with files, with DNS spoofing or other ways.

However, the issue with GPG is that it's huge, several megabytes, as well as slow. On size alone it can't be included in the base, and checking extensions on boot would be really slow on older hardware, which we support.

If you mean to only sign the .iso files for external validation, you could still be easily subverted via any extension. Just signing the isos would be snake oil.
Title: Re: .iso checksums AND .sig
Post by: SeaDude on October 02, 2015, 09:26:43 AM
Yeah, I wasn't talking about including it in TCL. I was talking about having a signed checksum somewhere then providing the fingerprint of the key it was signed with. This would not be easily subverted.

Its all good. Its a shame that validating software has to be such a pita.

Thanks for the hard work