LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-18-2008, 07:26 PM   #1
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Rep: Reputation: 17
Quick question - PGP checksums? *.asc


Hello,

I'm finding some Linux and BSD ISOs for download have PGP checksum files, *.asc. First, is PGP more reliable/secure than MD5? Than SHA-256, or any of the others? And secondly, how does one check a PGP checksum?

Thanks!
 
Old 11-18-2008, 07:32 PM   #2
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,269

Rep: Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028Reputation: 2028
PGP is a tool that would use hash algorithms like MD5, SHA-256 etc. You need to find out what its using.
The home website for a given distro will tell you what they use and how to check it.
 
Old 11-18-2008, 09:06 PM   #3
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Original Poster
Rep: Reputation: 17
Hmm, sorry? All the file says is this:

Code:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEABECAAYFAkgaVi4ACgkQakRjwEAQIjO+tQCdEcBUJtHbitrGr+0WSExE4sXM
KTIAmwe/Y3Mwuli2IBlS8H2JvWC7PX3B
=Ucb1
-----END PGP SIGNATURE-----
The distro in this case is Slackware.
 
Old 11-19-2008, 05:53 AM   #4
GazL
Senior Member
 
Registered: May 2008
Posts: 3,392

Rep: Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917Reputation: 917
If a hacker hacked into the server you downloaded the .iso from and replaced it, he could also replace the md5sum so that you were none the wiser. This is why its always good practice to get the .iso and md5sums from different locations if at all possible.

pgp signatures on the other hand don't have this problem as in order to "sign" something you need to have access to the secret-key, which (unless the signer is incredibly stupid) won't go anywhere near the download/web server.

With pgp signing, the hacker could still replace the signature with one of his own, but unlike md5, when you verify it, it'll show who owns the signature, so its a little more obvious (if you're paying attention). This is why pgp signing is a better choice than md5, although md5 is fine for checking that the file hasn't been corrupted during download, it's not that good for security purposes. Some projects I've seen take a mixed approach and md5sum the .isos but then pgp clear-sign the md5sum.txt file itself to identify any tampering.


Anyway, that gives you a little insight into the why, now for the wherefore....

You need to download the 'public' key of the developer either from them directly (on their website), or from a key server, and then import it.

gpg --import keyfilename

Then you can verify files by doing a

gpg --verify signaturefilename.asc (not the file to be checked but the .asc that comes with it)


Anyway, that's a quick look at the basics of it, but there's a whole lot more to know. man 'gpg' is a good start. There's also a chapter on it in the slackbasics.org book, which along with the slackbook at slackbook.org is a very good read for a fledgling slacker.

I hope that helps. Enjoy your time with slackware, it's a great distribution.
 
Old 11-19-2008, 02:21 PM   #5
Ranguvar
Member
 
Registered: Oct 2008
Location: Upstate NY
Distribution: Arch Linux
Posts: 99

Original Poster
Rep: Reputation: 17
Thanks

I'm in love with Arch, only using Slack as a base for some experiments and for better Linux learning, since it's even more vanilla than Arch. But it is indeed very nice
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PGP Encryption script question jdiazaz Linux - Security 9 12-11-2009 05:07 AM
PGP keys: concept question joe293 Linux - Security 2 09-24-2008 11:38 AM
question about checksums and data compression darinbolson Linux - General 2 10-15-2006 11:37 PM
md5 and asc files Yohhan Linux - Newbie 6 07-10-2004 11:43 PM
The .asc file and what to do with it jspaceman Slackware 2 07-10-2004 11:42 PM


All times are GMT -5. The time now is 07:47 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration