LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   GPG and Signature Key on linux ISOs (https://www.linuxquestions.org/questions/linux-newbie-8/gpg-and-signature-key-on-linux-isos-4175580045/)

DW997 05-17-2016 06:57 PM
GPG and Signature Key on linux ISOs
 
greetings

Why do many linux distributions don't use gpg and a signature file to verify iso files? Many use the usual md5sum and sha variants. There is more work involved when using the gpg method, but I believe it's better in the long run.

notKlaatu 05-17-2016 07:06 PM
GPG supports the identity of the person distributing the file. SHAsum supports the identity of the file.

GPG, for instance, requires that someone owns a private key file, and they often use that keyfile in communication with other people, so there's a sense that yes, this keyfile is a file that This Person owns and has a passphrase to use, so I trust that when I get a file that is signed with that keyfile's signature, then it really is something coming from that person. (unless that person has been captured and tortured, or had both their keyfile AND passphrase stolen).

A SHAsum just looks at bits and verifies that they haven't changed. That's usually pretty good, but from what I understand, it can eventually be spoofed (not easily, but still...). There's no sense of personal interaction, either, so if an ISO gets posted online and they're always signed by this one dev, but suddenly it's signed with a different key, I might be prompted to investigate what's going on - was the old key deprecated and s/he has a new key now, or is someone trying to slip something by me?

There may be lower level reasons (gpg integration with a build system, that sort of thing) but that's my understanding of the reasoning.


All times are GMT -5. The time now is 06:36 AM.