WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Verify authenticity of TinyCore downloads  (Read 2956 times)

Offline xi

  • Newbie
  • *
  • Posts: 4
Verify authenticity of TinyCore downloads
« on: November 03, 2021, 06:10:08 PM »
I want to check that my tinycore installation image really is the tinycore installation image.

Tinycore files are distributed with checklist files, such as this one.
http://www.tinycorelinux.net/12.x/x86_64/release/CorePure64-12.0.iso.md5.txt

I could check the image with the checklist file, but this does not satisfy me because neither file is signed. It could be that a man-in-the-middle has changed both the ISO and the MD5.

Is there a safer way to get the md5.txt file?

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11588
Re: Verify authenticity of TinyCore downloads
« Reply #1 on: November 03, 2021, 10:55:00 PM »
Hi xi
Welcome to the forum.

I suppose you could compare it to one of the mirrors:
http://distro.ibiblio.org/tinycorelinux/12.x/x86_64/release/CorePure64-12.0.iso.md5.txt

This is what I get when logged into our server:
Code: [Select]
~$ cat /12.x/x86_64/release/CorePure64-12.0.iso.md5.txt
54bc11152740fe4b0148521fd5f39639  CorePure64-12.0.iso

Offline xi

  • Newbie
  • *
  • Posts: 4
Re: Verify authenticity of TinyCore downloads
« Reply #2 on: November 04, 2021, 06:51:08 AM »
Hi Rich

Indeed that is better, but still, that file is not signed either.

It would also work if the checklist is distributed with TLS.

Offline nick65go

  • Hero Member
  • *****
  • Posts: 832
Re: Verify authenticity of TinyCore downloads
« Reply #3 on: November 05, 2021, 07:51:01 AM »
@xi: The check algorithm md5 is weaker than sha*. But lets say you manage to download over a secured HTTPS connection, from a trusted web-site /mirror, and you can check that the seal (md5, sha-256, etc) is OK. Then you can only be sure that you get the original package (TCZ) as it was released by its author. And nothing more.

Security is an illusion. You DO NOT know what is packaged in that TCZ. You have to trust the (open) source without audit it. You have to trust the gcc compiler was not hacked. You have to trust the author of the extension (TCZ) really gave you the results of the final program, not its other "work", blob, he could put inside tcz (Who do you think will audit your tcz ?).

PS: Personally I do not have these concerns. But it seams you started to have them, or at least opened the Pandora box.
« Last Edit: November 05, 2021, 07:52:40 AM by nick65go »

Offline xi

  • Newbie
  • *
  • Posts: 4
Re: Verify authenticity of TinyCore downloads
« Reply #4 on: November 05, 2021, 10:16:30 AM »
I agree, mostly. But I trust the packager and the upstream more than I trust the administrators of the network from the mirror to my house.

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11044
Re: Verify authenticity of TinyCore downloads
« Reply #5 on: November 05, 2021, 01:41:42 PM »
This is a valid concern absolutely, but as a small project with not much resources, signing was judged to be too much trouble in the past. There's some previous discussion on the forum.

TC is not intended to be an absolutely secure platform like OpenBSD; if you need that level of security, another distro may be useful.
The only barriers that can stop you are the ones you create yourself.

Offline xi

  • Newbie
  • *
  • Posts: 4
Re: Verify authenticity of TinyCore downloads
« Reply #6 on: November 05, 2021, 06:58:02 PM »
In fact signing is not necessary; I would be happy with an HTTPS mirror for just the checklist files, like this: https://seashells.crabdance.com/tinycore/

Of course, somebody could have tampered with the files while I was downloading them, and I could have tampered with them, but at least such subterfuge would be easily caught by comparison with other mirrors, as Rich proposed.

Indeed I use OpenBSD when I care more for security. But, even if I don't trust the distribution protocol, I still trust TinyCore above most GNU/Linux distributions since it is so much simpler.

Offline nick65go

  • Hero Member
  • *****
  • Posts: 832
Re: Verify authenticity of TinyCore downloads
« Reply #7 on: November 05, 2021, 07:57:30 PM »
I would be happy with an HTTPS mirror for just the checklist files
so your problem is solved, because there are tens of HTTPS web-sites which mirrored tinycorelinux already, such as:
https://mirrors.dotsrc.org/tinycorelinux/12.x/x86_64/tcz/
https://ftp.nluug.nl/os/Linux/distr/pub/linux/distributions/tinycorelinux/
https://mirror.cpsc.ucalgary.ca/mirror/tinycorelinux/



Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11588
Re: Verify authenticity of TinyCore downloads
« Reply #8 on: November 05, 2021, 09:02:34 PM »