On Mon, Sep 08, 2014 at 10:11:52PM +0200, Elmar Stellnberger wrote:
| I had just bought such a magzine which shipped install55.iso as a whole.
| If the keys would have been in the root directory of that .iso then: Hooray!
| Sometimes they also ship the 'system rescue CD' as a whole; look at my
| proposal here:
| http://www.sysresccd.org/forums/viewtopic.php?f=6&t=5208
Trusting install55.iso on some magazine's CD is akin to trusting
someone you don't know who claims he's not a fraud.
Shall I prepare a nice magazine for you, with an install55.iso on the
CD and proper signify pubkeys in that ISO image?
What on earth are you going to do with the pubkeys you get in
install55.iso?
OK, now I take them out of the ISO and put them next to the image in
the same directory on the CD. Nothing changes. Now I'll provide you
with a system rescue CD as you proposed with the public keys of all
major distros. Even including the signify pubkeys that will verify
the proper keys were used to sign (my special edition) of
install55.iso.
| I welcome your provision of the signify tool. What I still do not know is
| where on install55.iso I can find the pubkey and the sigfile for verifying
| the iso by itself (test run) as well as further isos (many Linux distros use
| the root directory for these files). You did not 'forget' to ship these
| files, did you?
No, they weren't put on the image because it doesn't make sense to put
them there. You need to verify the image via alternative routes.
Call up ten friends in ten different countries and ask them to all
download the SHA256.sig file from their local mirror and compare them
all verbally with what you download yourself.
And you still won't be 100% sure. Add 20 more friends from 20 new
countries. Even more.
| I just please you to put sth. like a README there to make new
| or low-brow users know which tool to use i.e. signify and where to find
| the pubkey and signing data and the session length. The session length
| is the third important parameter to know when verifying already burnt
| .isos because they tend to be zero padded at the tail (disregarding this
| fact will usually make the verification fail).
If you didn't burn the iso yourself, why are you installing from it?
| >Cheers,
| >
| By the way, do you have any good reason to distrust gpg?
Apart from 'distrust', policy dictates it cannot be added to the base
operating system unless "as a last recourse"[1] and, in fact:
"Replacement [of GPL-licensed code] by equivalent, more
freely licensed tools is a long-term desideratum." [2]
Guess what - signify is that equivalent, more freely licensed tool.
It may not be feature-complete compared to GPG, but it provides the
basic feature of verifying checksums you suggest to use GPG for (if
you the added features of GPG in your OpenBSD system, it's a simple
pkg_add(1) away).
Cheers,
Paul 'WEiRD' de Weerd
[1]: http://www.openbsd.org/goals.html
[2]: http://www.openbsd.org/policy.html
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
