Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm finding some Linux and BSD ISOs for download have PGP checksum files, *.asc. First, is PGP more reliable/secure than MD5? Than SHA-256, or any of the others? And secondly, how does one check a PGP checksum?
PGP is a tool that would use hash algorithms like MD5, SHA-256 etc. You need to find out what its using.
The home website for a given distro will tell you what they use and how to check it.
If a hacker hacked into the server you downloaded the .iso from and replaced it, he could also replace the md5sum so that you were none the wiser. This is why its always good practice to get the .iso and md5sums from different locations if at all possible.
pgp signatures on the other hand don't have this problem as in order to "sign" something you need to have access to the secret-key, which (unless the signer is incredibly stupid) won't go anywhere near the download/web server.
With pgp signing, the hacker could still replace the signature with one of his own, but unlike md5, when you verify it, it'll show who owns the signature, so its a little more obvious (if you're paying attention). This is why pgp signing is a better choice than md5, although md5 is fine for checking that the file hasn't been corrupted during download, it's not that good for security purposes. Some projects I've seen take a mixed approach and md5sum the .isos but then pgp clear-sign the md5sum.txt file itself to identify any tampering.
Anyway, that gives you a little insight into the why, now for the wherefore....
You need to download the 'public' key of the developer either from them directly (on their website), or from a key server, and then import it.
gpg --import keyfilename
Then you can verify files by doing a
gpg --verify signaturefilename.asc (not the file to be checked but the .asc that comes with it)
Anyway, that's a quick look at the basics of it, but there's a whole lot more to know. man 'gpg' is a good start. There's also a chapter on it in the slackbasics.org book, which along with the slackbook at slackbook.org is a very good read for a fledgling slacker.
I hope that helps. Enjoy your time with slackware, it's a great distribution.
I'm in love with Arch, only using Slack as a base for some experiments and for better Linux learning, since it's even more vanilla than Arch. But it is indeed very nice
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
