Scientific Linux Forum.org



  Reply to this topicStart new topicStart Poll

> digital signatures for SHASUMS, where?
log69
 Posted: Feb 27 2012, 08:36 AM
Quote Post


SLF Member
***

Group: Members
Posts: 98
Member No.: 1325
Joined: 24-February 12









Dear Members,

I decided to put my question in this forum, since I believe it has important things to do with security.

Ever since I switched to using SL as my main system on servers and desktops, I couldn't find any answer to the following question of mine: Where can I find any digital signatures that belong to the SHA1SUM or other hashes of the .iso files?

AFAIK all the other mainstream distros sign their hash files, but I can't find any for SL.

Since the ISO files have to be downloaded through an unencrypted FTP or HTTP connection along with their hash files, both could easily be manipulated and changed on the way to the user's machine.

So this question bothers me for some time now, or simply I might be missing something here.

Thanks!
PM
^
tux99
 Posted: Feb 28 2012, 11:59 PM
Quote Post


SLF Guru
********

Group: Members
Posts: 1289
Member No.: 224
Joined: 28-May 11









I see your point, but I don't have an answer for you. I guess it's best if you ask this question on the SL mailing-list, this is purely a user forum, the SL devs don't normally read it, while they do read the mailing-lists.

http://www.scientificlinux.org/maillists/


--------------------
My personal SL6 repository, specialized in audio/video software: http://pkgrepo.linuxtech.net/el6/
(can be used together with EPEL and ELRepo repositories) - repository mirror: http://linuxsoft.cern.ch/linuxtech/el6/
PM
^
joutlan
 Posted: Feb 29 2012, 12:37 AM
Quote Post


SLF Founder
********

Group: Admins
Posts: 1109
Member No.: 1
Joined: 8-April 11









I believe this is already been hashed on the listserv....was reading it earlier today....smile.gif


--------------------
DΞLL Precision M6700: 17 inch NB//i7-quad w/USB 3.0, 16.0GB, Quadro K5000M 2.0GB DDR3, RGBLED //W8P64/Scientific Linux 6.4 x64
DΞLL Vostro 3350 Nirvana: 13 inch NB w/ IntelSSD// W8Px64 (Work;Games)
Nexus 4 //Android
PMEmail PosterUsers WebsiteIntegrity Messenger IM
^
lemonzest
 Posted: Feb 29 2012, 01:14 AM
Quote Post


SLF Member
***

Group: Members
Posts: 130
Member No.: 109
Joined: 29-April 11









Trust No One *hums x-files music* http://dl.dropbox.com/u/2835777/egyptian.gif http://dl.dropbox.com/u/2835777/egyptian.gif http://dl.dropbox.com/u/2835777/BangHead1.gif


--------------------
Desktop: Phenom II X6 1090T Hex-Core (Socket AM3), 16GB RAM, MSI 870-C45, 5x 1TB HDD, Radeon HD 6770 1GB, Mageia 2 x86_64

Test Box:Intel Pentium E2180 (Socket 775), 4GB DDR3, ASRock G41-VS3 2.0, 4x 1TB, 2x 500GB, Onboard GFX, Mageia 2 x86_64

Connection: Virgin Media XL 60Mb/s Down, 3Mb/s Up
PM
^
log69
 Posted: Feb 29 2012, 07:03 AM
Quote Post


SLF Member
***

Group: Members
Posts: 98
Member No.: 1325
Joined: 24-February 12









Yes, I asked about this on the user ML too. Somebody said, that the devs singed the hash file originally that belongs to the installer, but as soon as the Live ISO files got uploaded, the hash files had been overwritten with unsigned hash list.

Also, this user sent the original singed hash file to the ML, and the SL gpg key matches. I find this interesting and I'm waiting for further info on this.
PM
^
AndrewSerk
 Posted: Mar 3 2012, 03:32 AM
Quote Post


SLF Moderator
******

Group: Moderators
Posts: 518
Member No.: 54
Joined: 14-April 11









There is now a SHA1SUM.gpgsigned and SHA256SUM.gpgsigned file avalable for download:
http://ftp1.scientificlinux.org/linux/scientific/6.2/x86_64/iso/
http://ftp1.scientificlinux.org/linux/scientific/6.2/i386/iso/
PM
^
log69
 Posted: Mar 3 2012, 07:06 AM
Quote Post


SLF Member
***

Group: Members
Posts: 98
Member No.: 1325
Joined: 24-February 12









QUOTE
There is now a SHA1SUM.gpgsigned and SHA256SUM.gpgsigned file avalable for download...


Great news! Thanks for sharing.
PM
^
0 User(s) are reading this topic (0 Guests and 0 Anonymous Users)
0 Members:

Topic Options Reply to this topicStart new topicStart Poll