Welcome!
Important information
-- Spectre and Meltdown vulnerabilities
-- Change in MX sources

News
-- MX Linux on social media: here
-- Mepis support still here

Current releases
-- MX-17.1 Final release info here
-- antiX-17 release info here

New users
-- Please read this first, and don't forget to add system and hardware information to posts!
-- Here are the Forum Rules

Signed iso files

Message
Author
User avatar
anticapitalista
Forum Veteran
Forum Veteran
Posts: 5651
Joined: Sat Jul 15, 2006 10:40 am

Re: Signed iso files

#11 Post by anticapitalista » Mon Mar 21, 2016 4:41 pm

Adrian wrote: I see some people sign the md5sums and some people sign the ISOs, from what I understand the advantage of signing the md5sums is that it's a quick operation to sign a one line text file, while it takes a long time to sign a ISO, but if you sign the ISO if you verify the signature you don't need to verify the md5sum too, am I right? (It's still good to provide md5sums because some people don't bother to verify signatures)
Not 100% sure, but I would guess if the iso is verified then it should be good to go i.e. not corrupted by a download.

I would have thought that verifying the actual iso (that is after all what is going to be installed) is better for security.
anticapitalista
Reg. linux user #395339.

Philosophers have interpreted the world in many ways; the point is to change it.

antiX-17 "Heather Heyer" - lean and mean.
https://antixlinux.com

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15794
Joined: Fri Dec 15, 2006 8:07 pm

Re: Signed iso files

#12 Post by Stevo » Mon Mar 21, 2016 4:49 pm

Ahh, the Peppermint link has the answer for Windows:
Windows Users

Windows users can download and install GPG (Gpg4win) from here:

https://gpg4win.org/download.html

Then substitute “gpg” with “C:\Program Files\Gnu\GnuPg\gpg.exe” in the four commands above.

User avatar
eugen-b
Forum Regular
Forum Regular
Posts: 572
Joined: Tue Aug 25, 2015 1:56 pm

Re: Signed iso files

#13 Post by eugen-b » Mon Mar 21, 2016 5:51 pm

Adrian wrote:
I see some people sign the md5sums and some people sign the ISOs, from what I understand the advantage of signing the md5sums is that it's a quick operation to sign a one line text file, while it takes a long time to sign a ISO, but if you sign the ISO if you verify the signature you don't need to verify the md5sum too, am I right? (It's still good to provide md5sums because some people don't bother to verify signatures)
Oberon from Manjaro recommends gpa which seems to be a self explanatory GUI for GPG.
From security standpoint signing the .iso or the iso.md5 is (almost) equivalent. A signature also provides the security service of integrity, so you don't need to verify an md5sum.
The trade-off would be in terms of performacne vs. ease of use. It seem to be obviously faster to sign an iso.md5 (or iso.sha1) which you need to have calculated before.
But in fact it is not so obvious, because it also depends on the machine. Mine takes very long (several minutes) for md5sum checks, but it takes much less time (half a minute) for a signature check of .iso file. Well, you need to import the key once for each distro.
MX-14 on a Via Eden 1GHz CPU thin client, 3GB RAM, Via VX800 chipset, Via Chrome9 HC GPU, 32GB M.2 SSD;
btrfs with @ and @home subvolumes for MX-14;
added @antiX and @antiXhome subvolumes and copied antix 13.1 base into them, adjusting Grub from MX-14.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15794
Joined: Fri Dec 15, 2006 8:07 pm

Re: Signed iso files

#14 Post by Stevo » Mon Mar 21, 2016 6:59 pm

This is still security related--if we ever implement https for the passwords here and for the community pages, I see letsencrypt is now in jessie-backports. That's a weak point if passwords are sent in the clear, then the links and directions could be hacked.

User avatar
Adrian
Forum Veteran
Forum Veteran
Posts: 8459
Joined: Wed Jul 12, 2006 1:42 am

Re: Signed iso files

#15 Post by Adrian » Mon Mar 21, 2016 7:05 pm

Stevo wrote:This is still security related--if we ever implement https for the passwords here and for the community pages, I see letsencrypt is now in jessie-backports. That's a weak point if passwords are sent in the clear, then the links and directions could be hacked.
I agree, we need to use https for the forum.

User avatar
richb
Administrator
Posts: 16915
Joined: Wed Jul 12, 2006 2:17 pm

Re: Signed iso files

#16 Post by richb » Mon Mar 21, 2016 7:06 pm

Adrian wrote:
Stevo wrote:This is still security related--if we ever implement https for the passwords here and for the community pages, I see letsencrypt is now in jessie-backports. That's a weak point if passwords are sent in the clear, then the links and directions could be hacked.
I agree, we need to use https for the forum.
Still in the wings and not forgotten.
Forum Rules
Guide - How to Ask for Help

Rich
SSD Production: MX 17.1
AMD A8 7600 FM2+ CPU R7 Graphics, 16 GIG Mem. Three Samsung EVO SSD's 250 GB, 350 GB HD

User avatar
KernSpy
Forum Regular
Forum Regular
Posts: 555
Joined: Wed Nov 05, 2014 10:09 pm

Re: Signed iso files

#17 Post by KernSpy » Mon Mar 21, 2016 7:54 pm

Should I stop my MX-15 (32/64bit) torrents in qbittorrent, check them and then restart them?
Acer Aspire M3800, Intel Pentium dual-core E6600, Intel 4 Series Graphics, Intel Audio, 4 GB Ram, XFCE 4, MX15 Fusion. Lenovo G560 Laptop - 4G Ram, Dual-Pentium, MX15 Fusion.

User avatar
anticapitalista
Forum Veteran
Forum Veteran
Posts: 5651
Joined: Sat Jul 15, 2006 10:40 am

Re: Signed iso files

#18 Post by anticapitalista » Mon Mar 21, 2016 8:02 pm

KernSpy wrote:Should I stop my MX-15 (32/64bit) torrents in qbittorrent, check them and then restart them?
No.
anticapitalista
Reg. linux user #395339.

Philosophers have interpreted the world in many ways; the point is to change it.

antiX-17 "Heather Heyer" - lean and mean.
https://antixlinux.com

User avatar
KernSpy
Forum Regular
Forum Regular
Posts: 555
Joined: Wed Nov 05, 2014 10:09 pm

Re: Signed iso files

#19 Post by KernSpy » Mon Mar 21, 2016 9:29 pm

OK, Thanks!
Acer Aspire M3800, Intel Pentium dual-core E6600, Intel 4 Series Graphics, Intel Audio, 4 GB Ram, XFCE 4, MX15 Fusion. Lenovo G560 Laptop - 4G Ram, Dual-Pentium, MX15 Fusion.

User avatar
Stevo
Forum Veteran
Forum Veteran
Posts: 15794
Joined: Fri Dec 15, 2006 8:07 pm

Re: Signed iso files

#20 Post by Stevo » Mon Mar 21, 2016 9:45 pm

GPA (GNU Privacy Assistant) looks like the GUI for xfce.

It looks like we should recommend Windows users use the GPA included with Gpg4win for a GUI, there's some big fat version, but also a lite, then an even smaller "vanilla" version. I think the "Lite" version, which has GPA, looks good.

Post Reply

Return to “General”