Signed files

[ispgardner]

I'm coming and leaving to TinyCore couple of times. The main reason of departing from TinyCore is than none of the packages/images are signed. Would it be possible to hash (sha512) all important files in TinyCore repository and sign the list with gpg?
I would appreciate your help.

[chattrhand]

In the AppsBrowser there is  a md5check for all of the extensions

[ispgardner]

The *.tcz.md5.txt checks integrity of the download itself and it is not a signed file, chance it may be compromised. I can create checksum list of all important files it would be nice if someone (who has an access to originals) can sign it.
It is just a suggestion.
BTW md5 is good for checking the download integrity, but no god for repository integrity.

[NewUser]

When you leave Tiny Core, where do you go? Windows? Or some other Linux distro?

[ispgardner]

Usually I’m returning to Debian. This time I’m planning to recreate TC from the secure packages. It seems to be easy to convert many deb packages to tcz pkgs. TC uses a very good concept and I’m not planning to abandon this concept. Here are strengths of TC; brilliant simplicity, easy to modify and update, good documentation (outdated though), responsive and friendly forum. The main problem is security (which is easily correctable). Publishing the signed list similar to:
/http://ftp.de.debian.org/debian/dists/Debian11.7/InRelease or http://http://ftp.de.debian.org/debian/dists/Debian11.7/Release would not be that difficult.

[Paul_123]

That's all you want?  An unsecure list of md5's

That is already available.   http://www.tinycorelinux.net/14.x/x86_64/tcz/md5.db.gz

Obviously whatever version/architecture you are looking for.

[ispgardner]

Pls. notice that both InRelease and Release (with external sign Release.gpg) are signed files. It would be nice if someone sign md5.db file (and publish public gpg in SKS or something else). The md5 is not the best hash, but it is better than nothing.
Thank you for the replay. Gardner.