[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [GNU-linux-libre] Help users to verify their downloads
|
From: |
bill-auger |
|
Subject: |
Re: [GNU-linux-libre] Help users to verify their downloads |
|
Date: |
Mon, 18 Jun 2018 20:47:11 -0400 |
for the benefit of anyone reading who is not entirely familiar with these tools
mentioned (md5, sha, gpg) - allow me to make some important distinctions - if
the concerned users who prompted this thread are not reading this list, i
suggest someone should bring these distinctions to their attention
on the one hand there are checksums, often in files named MD5SUMS, SHA256SUMS,
and similar - these are mainly useful to verify that the downloaded files are
complete and were not damaged in transit - downloading over bittorrent offers
this same level of robustness intrinsically without the separate checksum file,
thus releiving the user of that manual step - however, this is a very weak form
of validation in respect to the concern donald raised - anyone with a completed
download could modify it and create a new checksum that will match the modified
file - that is also possible on a torrent network (the checksums are in the
.torrent file); but the result would be two clearly distinguishable and
unrealated files with each coupled to their own .torrent metadata file - if any
case, there is no way to know who authored that file or it's metadata
on the other hand, files that were signed with a GPG key are attributable to the
person who authored it; even if it is delivered over some other channel by some
other person - the GPG key of the person who signed the file can be verified
against the list of official developers as published on the distro's website -
the signature will be as valid whether the file was downloaded directly from the
distro's website, or over bittorrent, or from any other source - if someone
modifies that file and then publishes the modified version, the original
signature of the distro developer would not be valid against the modified
version - that person could sign it with their own GPG key; but that would
obviously be not one of the official keys published on the distro's website
so in short, checksums only verify that a download was received in tact without
error, while a GPG signature verifyies the authenticity of the person who
published it - the level of confidence that i suspect this thread was asking for
can only be provided by a signature - checksums are far less significant and
indeed optional when a signature is provuded; as the signature verifies the
file's integrity also
signature.asc
Description: This is a digitally signed message part