LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-17-2016, 06:57 PM   #1
DW997
LQ Newbie
 
Registered: May 2016
Posts: 1

Rep: Reputation: Disabled
GPG and Signature Key on linux ISOs


greetings

Why do many linux distributions don't use gpg and a signature file to verify iso files? Many use the usual md5sum and sha variants. There is more work involved when using the gpg method, but I believe it's better in the long run.
 
Old 05-17-2016, 07:06 PM   #2
notKlaatu
Senior Member
 
Registered: Sep 2010
Location: Lawrence, New Zealand
Distribution: Slackware
Posts: 1,077

Rep: Reputation: 732Reputation: 732Reputation: 732Reputation: 732Reputation: 732Reputation: 732Reputation: 732
GPG supports the identity of the person distributing the file. SHAsum supports the identity of the file.

GPG, for instance, requires that someone owns a private key file, and they often use that keyfile in communication with other people, so there's a sense that yes, this keyfile is a file that This Person owns and has a passphrase to use, so I trust that when I get a file that is signed with that keyfile's signature, then it really is something coming from that person. (unless that person has been captured and tortured, or had both their keyfile AND passphrase stolen).

A SHAsum just looks at bits and verifies that they haven't changed. That's usually pretty good, but from what I understand, it can eventually be spoofed (not easily, but still...). There's no sense of personal interaction, either, so if an ISO gets posted online and they're always signed by this one dev, but suddenly it's signed with a different key, I might be prompted to investigate what's going on - was the old key deprecated and s/he has a new key now, or is someone trying to slip something by me?

There may be lower level reasons (gpg integration with a build system, that sort of thing) but that's my understanding of the reasoning.
 
2 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Python - Obtain GPG key id from detatched signature file 0x53h Programming 0 10-23-2014 05:46 AM
[SOLVED] gpg - Can't check signature: public key not found when decrypting file ilesterg Linux - Security 3 02-12-2014 09:52 AM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
Smart Key Signature ERRORS! How do I delete this bad key from my computer? Balarabay1 Linux - Software 4 09-27-2006 11:01 AM
does not have GPG signature mackol Linux - Software 0 05-26-2004 09:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration