Verify authenticity of TinyCore downloads

[xi]

I want to check that my tinycore installation image really is the tinycore installation image.

Tinycore files are distributed with checklist files, such as this one.
http://www.tinycorelinux.net/12.x/x86_64/release/CorePure64-12.0.iso.md5.txt

I could check the image with the checklist file, but this does not satisfy me because neither file is signed. It could be that a man-in-the-middle has changed both the ISO and the MD5.

Is there a safer way to get the md5.txt file?

[Rich]

Hi xi
Welcome to the forum.

I suppose you could compare it to one of the mirrors:
http://distro.ibiblio.org/tinycorelinux/12.x/x86_64/release/CorePure64-12.0.iso.md5.txt

This is what I get when logged into our server:

Code: [Select]

~$ cat /12.x/x86_64/release/CorePure64-12.0.iso.md5.txt
54bc11152740fe4b0148521fd5f39639  CorePure64-12.0.iso

[xi]

Hi Rich

Indeed that is better, but still, that file is not signed either.

It would also work if the checklist is distributed with TLS.

[nick65go]

@xi: The check algorithm md5 is weaker than sha*. But lets say you manage to download over a secured HTTPS connection, from a trusted web-site /mirror, and you can check that the seal (md5, sha-256, etc) is OK. Then you can only be sure that you get the original package (TCZ) as it was released by its author. And nothing more.

Security is an illusion. You DO NOT know what is packaged in that TCZ. You have to trust the (open) source without audit it. You have to trust the gcc compiler was not hacked. You have to trust the author of the extension (TCZ) really gave you the results of the final program, not its other "work", blob, he could put inside tcz (Who do you think will audit your tcz ?).

PS: Personally I do not have these concerns. But it seams you started to have them, or at least opened the Pandora box.

[xi]

I agree, mostly. But I trust the packager and the upstream more than I trust the administrators of the network from the mirror to my house.

[curaga]

This is a valid concern absolutely, but as a small project with not much resources, signing was judged to be too much trouble in the past. There's some previous discussion on the forum.

TC is not intended to be an absolutely secure platform like OpenBSD; if you need that level of security, another distro may be useful.

[xi]

In fact signing is not necessary; I would be happy with an HTTPS mirror for just the checklist files, like this: https://seashells.crabdance.com/tinycore/

Of course, somebody could have tampered with the files while I was downloading them, and I could have tampered with them, but at least such subterfuge would be easily caught by comparison with other mirrors, as Rich proposed.

Indeed I use OpenBSD when I care more for security. But, even if I don't trust the distribution protocol, I still trust TinyCore above most GNU/Linux distributions since it is so much simpler.

[nick65go]

I would be happy with an HTTPS mirror for just the checklist files

so your problem is solved, because there are tens of HTTPS web-sites which mirrored tinycorelinux already, such as:
https://mirrors.dotsrc.org/tinycorelinux/12.x/x86_64/tcz/
https://ftp.nluug.nl/os/Linux/distr/pub/linux/distributions/tinycorelinux/
https://mirror.cpsc.ucalgary.ca/mirror/tinycorelinux/

[Rich]

Hi xi
Here's one more:
https://mirror.epn.edu.ec/tinycorelinux/12.x/x86_64/release/