The key thing always confuses me, but it is also worth noting is that there are 2 stages where the download could be compromised: 1) Man-in-the-middle attacks when you (the user) download the file from the server to your machine, resulting in a file that differs from the one you intended to download. 2) modifications made on the server. The file you downloaded is correct, but the host is malicious.
The solution to #1 is to hash your download, and compare to the hash on the server. You don't need to verify the GPG key to do this. For #2, that's where Web of Trust becomes important. Debian publishes their pgp signatures on this page: https://www.debian.org/CD/verify Linux does the same here: https://www.kernel.org/category/signatures.html It's not ideal, but is as good as you are gonna get without meeting the developers in person. Start with the hashing though. It covers the basic problems and confirms that the download was completed successfully. On Mon, Oct 7, 2019 at 4:01 PM Russell Senior <[email protected]> wrote: > The gnarly problem with cryptographic signatures is making sure that the > public keys you are using to verify are the correct ones, since usually the > way you get the public keys are the same way you get the signatures and the > blobs they protect. You need some reliable out-of-band way of gaining > confidence you have the correct public keys. Keybase.io is an interesting > method. Key signing parties are a way of gaining confidence in your > "neighbors" keys, and you can kind of bootstrap your way through the > web-of-trust to gaining confidence in more distant keys. > > On Mon, Oct 7, 2019 at 3:41 PM <[email protected]> wrote: > > > > > > > > You could download distribution .iso as well as its sha256sum. Then you > > > run: sha256sum fileName.iso and compare them. > > > > > > All distributions I know are additionally signed and will > complain/abort > > > when the signature does not match. > > > > > > That is, of course, only useful if the distribution itself is not > > > compromised. In case it is truly compromised, including signing and > > sha256 > > > infrastructure, I do not think you can do much about it. > > > > They would have to gain possession of the package signing key. All of the > > packages and updates are signed, as well as checksummed in the package > > list being downloaded. > > > > If you expect it is compromised then you can compare the source in the > > package to the source in the upstream repository. > > > > > > > > > > > > On Mon, Oct 7, 2019, 17:42 Mike C. <[email protected]> wrote: > > > > > >> How would one know or determine if their beloved Linux distro of > choice > > >> is > > >> hacked, altered or otherwise compromised? > > >> > > >> And not from years of using it with applying security updates or just > > >> willy-nilly throwing apps on it for fun but from the source when you > > >> download it. > > >> > > >> Say I want to build my own distro, how do I verify that I'm getting > the > > >> authentic / original kernel to start with? > > >> > > >> If I'm downloading a distro, how would I do the same verification? > > >> > > >> Is this something that we just rely on the general Linux community to > do > > >> monitor and report on? > > >> > > >> Or is there something that's accomplished through hash algorithms and > > >> digital signatures that your average Linux user can verify themselves? > > >> > > >> I hope I'm making some sense here. > > >> > > >> Thank you, > > >> > > >> Mike > > >> _______________________________________________ > > >> PLUG mailing list > > >> [email protected] > > >> http://lists.pdxlinux.org/mailman/listinfo/plug > > >> > > > _______________________________________________ > > > PLUG mailing list > > > [email protected] > > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > > > > > > > Q: Why do programmers confuse Halloween and Christmas? > > A: Because OCT 31 == DEC 25. > > > > _______________________________________________ > > PLUG mailing list > > [email protected] > > http://lists.pdxlinux.org/mailman/listinfo/plug > > > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug > _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
