WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: Signed files  (Read 1598 times)

Offline ispgardner

  • Newbie
  • *
  • Posts: 7
Signed files
« on: June 02, 2023, 09:57:50 PM »
I'm coming and leaving to TinyCore couple of times. The main reason of departing from TinyCore is than none of the packages/images are signed. Would it be possible to hash (sha512) all important files in TinyCore repository and sign the list with gpg?
I would appreciate your help.

Offline chattrhand

  • Full Member
  • ***
  • Posts: 140
md5sum too weak?
« Reply #1 on: June 03, 2023, 09:01:41 AM »
In the AppsBrowser there is  a md5check for all of the extensions
TinyCore, SliTaz, LinuxMint, Tails, Mac ...

Offline ispgardner

  • Newbie
  • *
  • Posts: 7
Re: Signed files
« Reply #2 on: June 03, 2023, 09:19:44 AM »
The *.tcz.md5.txt checks integrity of the download itself and it is not a signed file, chance it may be compromised. I can create checksum list of all important files it would be nice if someone (who has an access to originals) can sign it.
It is just a suggestion.
BTW md5 is good for checking the download integrity, but no god for repository integrity.

Offline NewUser

  • Full Member
  • ***
  • Posts: 166
Re: Signed files
« Reply #3 on: June 04, 2023, 11:50:51 PM »
When you leave Tiny Core, where do you go? Windows? Or some other Linux distro?

Offline ispgardner

  • Newbie
  • *
  • Posts: 7
Re: Signed files
« Reply #4 on: June 05, 2023, 06:54:56 AM »
Usually I’m returning to Debian. This time I’m planning to recreate TC from the secure packages. It seems to be easy to convert many deb packages to tcz pkgs. TC uses a very good concept and I’m not planning to abandon this concept. Here are strengths of TC; brilliant simplicity, easy to modify and update, good documentation (outdated though), responsive and friendly forum. The main problem is security (which is easily correctable). Publishing the signed list similar to:
/http://ftp.de.debian.org/debian/dists/Debian11.7/InRelease or http://http://ftp.de.debian.org/debian/dists/Debian11.7/Release would not be that difficult.
« Last Edit: June 05, 2023, 06:59:01 AM by ispgardner »

Offline Paul_123

  • Administrator
  • Hero Member
  • *****
  • Posts: 1079
Re: Signed files
« Reply #5 on: June 05, 2023, 07:01:24 AM »
That's all you want?  An unsecure list of md5's

That is already available.   http://www.tinycorelinux.net/14.x/x86_64/tcz/md5.db.gz

Obviously whatever version/architecture you are looking for.
« Last Edit: June 05, 2023, 07:03:17 AM by Paul_123 »

Offline ispgardner

  • Newbie
  • *
  • Posts: 7
Re: Signed files
« Reply #6 on: June 05, 2023, 07:43:01 AM »
Pls. notice that both InRelease and Release (with external sign Release.gpg) are signed files. It would be nice if someone sign md5.db file (and publish public gpg in SKS or something else). The md5 is not the best hash, but it is better than nothing.
Thank you for the replay. Gardner.