digital signatures for SHASUMS, where?
| This forum is proudly powered by Scientific Linux 6 | SL website Download SL Help Search Members |
| Welcome Guest ( Log In | Register ) | Resend Validation Email |
   |
digital signatures for SHASUMS, where?| log69 |
Posted: Feb 27 2012, 08:36 AM
|
|
 SLF Member  Group: Members Posts: 97 Member No.: 1325 Joined: 24-February 12  |
Dear Members,
I decided to put my question in this forum, since I believe it has important things to do with security. Ever since I switched to using SL as my main system on servers and desktops, I couldn't find any answer to the following question of mine: Where can I find any digital signatures that belong to the SHA1SUM or other hashes of the .iso files? AFAIK all the other mainstream distros sign their hash files, but I can't find any for SL. Since the ISO files have to be downloaded through an unencrypted FTP or HTTP connection along with their hash files, both could easily be manipulated and changed on the way to the user's machine. So this question bothers me for some time now, or simply I might be missing something here. Thanks! |
|
|
||
| tux99 |
Posted: Feb 28 2012, 11:59 PM
|
|
 SLF Guru Group: Members Posts: 1120 Member No.: 224 Joined: 28-May 11 |
I see your point, but I don't have an answer for you. I guess it's best if you ask this question on the SL mailing-list, this is purely a user forum, the SL devs don't normally read it, while they do read the mailing-lists.
http://www.scientificlinux.org/maillists/ -------------------- My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
|
|
|
|
||
| joutlan |
Posted: Feb 29 2012, 12:37 AM
|
|
 SLF Founder Group: Admins Posts: 1146 Member No.: 1 Joined: 8-April 11 |
I believe this is already been hashed on the listserv....was reading it earlier today....
 -------------------- DΞLL Precision M6700: 17 inch NB//i7-quad w/USB 3.0, 16.0GB, Quadro K5000M 2.0GB DDR3, RGBLED //W8P64/Scientific Linux 6.4 x64
DΞLL Vostro 3350 Nirvana: 13 inch NB w/ IntelSSD// W8Px64 (Work;Games) Nexus 4 //Android |
|
  
|
||
| lemonzest |
Posted: Feb 29 2012, 01:14 AM
|
|
 SLF Member Group: Members Posts: 144 Member No.: 109 Joined: 29-April 11 |
Trust No One *hums x-files music*
  -------------------- Desktop: Phenom II X6 1090T Hex-Core (Socket AM3), 16GB RAM, MSI 870-C45, 5x 1TB HDD, Radeon HD 6770 1GB, Mageia 2 x86_64
Test Box:Intel Pentium E2180 (Socket 775), 4GB DDR3, ASRock G41-VS3 2.0, 4x 1TB, 2x 500GB, Onboard GFX, Mageia 2 x86_64 Connection: Virgin Media XL 60Mb/s Down, 3Mb/s Up |
|
|
|
||
| log69 |
Posted: Feb 29 2012, 07:03 AM
|
|
|
SLF Member Group: Members Posts: 97 Member No.: 1325 Joined: 24-February 12 |
Yes, I asked about this on the user ML too. Somebody said, that the devs singed the hash file originally that belongs to the installer, but as soon as the Live ISO files got uploaded, the hash files had been overwritten with unsigned hash list.
Also, this user sent the original singed hash file to the ML, and the SL gpg key matches. I find this interesting and I'm waiting for further info on this. |
|
|
|
||
| AndrewSerk |
Posted: Mar 3 2012, 03:32 AM
|
|
 SLF Moderator Group: Moderators Posts: 524 Member No.: 54 Joined: 14-April 11 |
There is now a SHA1SUM.gpgsigned and SHA256SUM.gpgsigned file avalable for download:
http://ftp1.scientificlinux.org/linux/scientific/6.2/x86_64/iso/ http://ftp1.scientificlinux.org/linux/scientific/6.2/i386/iso/ |
|
|
|
||
| log69 |
Posted: Mar 3 2012, 07:06 AM
|
|||
|
SLF Member Group: Members Posts: 97 Member No.: 1325 Joined: 24-February 12 |
Great news! Thanks for sharing. |
|||
|
|
||||
 |
|