On 25/02/16 00:55, David Kuehling wrote: >>>>>> "Daniel" == Daniel Reurich <[email protected]> writes: > [..] >>> Now if I downloaded Devuan from within Cina or Iran or Syria or any >>> company targeted by the NSA [3], how could I ensure that I still >>> received a non-tampered with .ISO file? >>> >>> What about making the download page HTTPS-only (letsencrypt.org?)? >>> >> HTTPS is no guarantee either unless it's using DNSSEC and DANE. But I >> agree files.devuan.org should be https, and we should also have a site >> on the tor network as well. > > At least an attack via MITM on SSL using hacked certs would be > detectable by SSL observatory etc. und thus could not be used on a large > scale. > >> With regards to verification you can get the pgp checksums from >> packages.devuan.org/<release>/InRelease file which is itself pgp >> signed using Devuans PGP key which can be obtained from the keyserver >> network which is also accessible via tor using parcimonie. No >> guarantees but much harder to fake all that. > > Unfortunately, that doesn't help me, if I already got a root-kit with > the initial netinstaller ISO :/ . Could you publish detached .pgp > signatures or pgp-signed shasums for the ISOs, too?
The InRelease file from your mirror or packages.devuan.org is signed by the Devuan keyring and verifies its the contents is untampered with. That file contains all the shasums for the SHA356SUMS file in each folder in the dists part of the repo, thus you have the detached but independently verifiable way to the shasum for the netinstaller.iso to verify it. -- Daniel Reurich Centurion Computer Technology (2005) Ltd. 021 797 722
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
