WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: .iso checksums AND .sig  (Read 3313 times)

Offline SeaDude

  • Newbie
  • *
  • Posts: 3
.iso checksums AND .sig
« on: September 30, 2015, 10:12:09 PM »
Hello,

I'm stoked on trying out TCL. Just a recommendation:

The security conscious will be looking for a more robust checksum listed than MD5 (at least SHA1). They would also be looking for a .sig file and a PGP Public Key Fingerprint to ensure that .iso's downloaded have not been tampered with and are authentic.

You may want to link to the download directory on this page: http://tinycorelinux.net/downloads.html since there are no checksums listed here and once clicked, the .iso just downloads. I had to go to the forums to find the download directory.

yay

Offline gerald_clark

  • TinyCore Moderator
  • Hero Member
  • *****
  • Posts: 4254
Re: .iso checksums AND .sig
« Reply #1 on: September 30, 2015, 10:50:41 PM »
The release files links are right on the page you posted.

Offline SeaDude

  • Newbie
  • *
  • Posts: 3
Re: .iso checksums AND .sig
« Reply #2 on: September 30, 2015, 11:34:57 PM »
You're right. I didn't explore enough, my fault.

I was just surprised when my download started immediately without the words "Checksum" nearby.
"Core-86 Release Files" didn't scream "I'm a directory with .iso's and md5's inside"; I think "release notes" when I read it.

Just as a heads up, the .iso titles here: http://tinycorelinux.net/downloads.html and here: http://tinycorelinux.net/6.x/x86/release/ don't match. I know that the former are "current" and portrayed in a much more appetizing way.

Found more info here: http://wiki.tinycorelinux.net/wiki:md5sum

Still looking for a "tiny linux" signed md5 and your PGP Public Key Fingerprint.

All good, being active, no slammies.



Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 10957
Re: .iso checksums AND .sig
« Reply #3 on: October 01, 2015, 02:23:33 AM »
Yes, a rogue mirror or someone close to you could tamper with files, with DNS spoofing or other ways.

However, the issue with GPG is that it's huge, several megabytes, as well as slow. On size alone it can't be included in the base, and checking extensions on boot would be really slow on older hardware, which we support.

If you mean to only sign the .iso files for external validation, you could still be easily subverted via any extension. Just signing the isos would be snake oil.
The only barriers that can stop you are the ones you create yourself.

Offline SeaDude

  • Newbie
  • *
  • Posts: 3
Re: .iso checksums AND .sig
« Reply #4 on: October 02, 2015, 09:26:43 AM »
Yeah, I wasn't talking about including it in TCL. I was talking about having a signed checksum somewhere then providing the fingerprint of the key it was signed with. This would not be easily subverted.

Its all good. Its a shame that validating software has to be such a pita.

Thanks for the hard work