Re: Stronger Hashes for PKGBUILDs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 12/26/2016 07:35 AM, NicoHood wrote:
>>> Yesterday I wanted to install ArchLinux on someone else computer. He
>>> used Windows until now and had no gpg handy yet (it is really annoying
>>> to install on windows).

What is wrong with, say, Gpg4win?

Okay, it is difficult to *trust* the software without any way of
securely proving it itself hasn't been backdoored. Then again, how did
*you* initially trust your Linux distribution?
But I don't see why it would be especially difficult to *install* on
Windows.

>>> So we needed to verify the source otherwise. But there was no real
>>> option as md5/sha1 is broken and his internet is too slow to download it
>>> again via torrent. We did not install Arch then and I will send him my
>>> sha512sum from my computer the next days where I did a torrent download.

I was under the impression that sha1 works just fine, and will for a
little while yet. Preimage attacks haven't been suggested to be feasible
yet, to my knowledge. Though we should still move off sha1 simply
because it is continually weakening and on its last legs (or already
broken for some functionality), I am pretty sure your friend is safe...

> ArchLinux wants to KISS, so we should simply add stronger hashes instead
> of requiring the user to download two tools. Its quite a struggle to
> find a hash tool for windows anyways.

I am not overly familiar with the checksumming landscape in
Windows-land, but I could have sworn all the common tools I found back
in "the day" were capable of verifying a range of hash functions, much
like coreutils as a set is capable of verifying a range of hash
functions. Why do you need two tools?

> Also the website should state from which person the signature is and
> which fingerprint it uses. I still could not find this information
> (otherwise I'd contact this person).

Usually gpg tells you this automagically. :p
Anyway, the key already has full trust from pacman-key, if you are
verifying from an Arch system... also, the frontpage has a link[1] to
the canonical master keys "for all Arch Linux purposes", which is how I
initially verified the ISO signature as having a valid trust.
(Do take caution to independently verify those signatures e.g. from the
owner's personal website.)

-- 
Eli Schwartz

[1] https://www.archlinux.org/master-keys/

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux