Tiny Core Linux

Tiny Core Base => TCB Talk => Topic started by: ispgardner on June 02, 2023, 09:57:50 PM

Title: Signed files
Post by: ispgardner on June 02, 2023, 09:57:50 PM

I'm coming and leaving to TinyCore couple of times. The main reason of departing from TinyCore is than none of the packages/images are signed. Would it be possible to hash (sha512) all important files in TinyCore repository and sign the list with gpg?
I would appreciate your help.

Title: md5sum too weak?
Post by: chattrhand on June 03, 2023, 09:01:41 AM

In the AppsBrowser there is  a md5check for all of the extensions

Title: Re: Signed files
Post by: ispgardner on June 03, 2023, 09:19:44 AM

The *.tcz.md5.txt checks integrity of the download itself and it is not a signed file, chance it may be compromised. I can create checksum list of all important files it would be nice if someone (who has an access to originals) can sign it.
It is just a suggestion.
BTW md5 is good for checking the download integrity, but no god for repository integrity.

Title: Re: Signed files
Post by: NewUser on June 04, 2023, 11:50:51 PM

When you leave Tiny Core, where do you go? Windows? Or some other Linux distro?

Title: Re: Signed files
Post by: ispgardner on June 05, 2023, 06:54:56 AM

Usually I’m returning to Debian. This time I’m planning to recreate TC from the secure packages. It seems to be easy to convert many deb packages to tcz pkgs. TC uses a very good concept and I’m not planning to abandon this concept. Here are strengths of TC; brilliant simplicity, easy to modify and update, good documentation (outdated though), responsive and friendly forum. The main problem is security (which is easily correctable). Publishing the signed list similar to:
/http://ftp.de.debian.org/debian/dists/Debian11.7/InRelease (http://ftp.de.debian.org/debian/dists/Debian11.7/InRelease) or http://http://ftp.de.debian.org/debian/dists/Debian11.7/Release would not be that difficult.

Title: Re: Signed files
Post by: Paul_123 on June 05, 2023, 07:01:24 AM

That's all you want?  An unsecure list of md5's

That is already available.   http://www.tinycorelinux.net/14.x/x86_64/tcz/md5.db.gz

Obviously whatever version/architecture you are looking for.

Title: Re: Signed files
Post by: ispgardner on June 05, 2023, 07:43:01 AM

Pls. notice that both InRelease and Release (with external sign Release.gpg) are signed files. It would be nice if someone sign md5.db file (and publish public gpg in SKS or something else). The md5 is not the best hash, but it is better than nothing.
Thank you for the replay. Gardner.