Slackware ISOs and gpg-key secure download
 

Is there a way to download Slackware ISOs and the gpg-key over https, instead of just http? Is there something preventing downloads from being manipulated by malicious actors?

I'm not sure about that, but if you're worried, you could always get the torrents.

Nobody cares about Slackware. So you are safe :D

Cheers

OMG James Woods is in the tubes!!

https://pgp.mit.edu/pks/lookup?op=vi...4463C040102233
https://pgp.mit.edu/pks/lookup?op=ge...4463C040102233

Edit: to state the obvious, once you have that key, there is no need to download the ISO and its signature with https.

Edit-edit: and then you just check the ISO's signature. obvsly. sorry. Now I remember what happened last year, I can understand why you're worried.

I would (should, actually) import the key from a keyserver, e.g. "gpg --recv-keys key IDs". e.g. :This is assuming that you have set a key server by default.

Then you can check the ISO against the key, even if you didn't use https to download it.

But, wait for answer from people more knowledgeable in that field.
EDIT: you got it while I was typing...

If you don't have the key, downloading it from somewhere other than the same place you get the ISO is a wise move and the key server is as good a place as any. You should also check its fingerprint with someone who already has it before using it for extra reassurance.

Here's my copy:

Thanks everyone for replying. I have verified my iso (without actually setting up the trust connection with the gpg key, but it's better than nothing). https://httpd.apache.org/dev/verification.html is helpful.

Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right? Doesn't that script just grab the GPG-KEY from the repo over http/ftp without any added security? What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?

No. slackpkg only runs with the official Slackware repository. You only need to import the official GPG key once.

If you are using slackpkgplus for additional repos, then again, you only need to get each additional GPG key once. So you can get (for example) Alien Bob's key securely from a keyserver (gpg --keyserver pgp.mit.edu --recv-key 769EE011) before the first time you run slackpkgplus. After that, it doesn't matter if slackpkgplus uses http to download the packages and the signatures.

Mostly you only need to worry about the server you're downloading from being hacked and dubious files being substituted. If you're up against an adversary with the ability to do realtime intercept and MITM of all your key requests and communication channels then I'm afraid you've got much larger concerns than worrying about whether your slackware iso's have been tampered with.

Get the key from the key server and check the fingerprint as described above. Let the tin-foil hat brigade worry about the rest.

Thanks again, everyone. I like the idea of getting the GPG keys separately from a key server instead of from the mirror.