LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 03-17-2017, 07:50 PM   #1
tuubaaku
Member
 
Registered: Oct 2004
Distribution: Slackware, Mint
Posts: 121

Rep: Reputation: 16
Slackware ISOs and gpg-key secure download


Is there a way to download Slackware ISOs and the gpg-key over https, instead of just http? Is there something preventing downloads from being manipulated by malicious actors?
 
Old 03-17-2017, 08:49 PM   #2
bassmadrigal
Senior Member
 
Registered: Nov 2003
Location: Newport News, VA
Distribution: Slackware
Posts: 4,109

Rep: Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079Reputation: 2079
I'm not sure about that, but if you're worried, you could always get the torrents.
 
Old 03-17-2017, 11:37 PM   #3
ivandi
Member
 
Registered: Jul 2009
Location: Québec, Canada
Distribution: SlackMATE on top of Slackware64-14.2
Posts: 371

Rep: Reputation: 464Reputation: 464Reputation: 464Reputation: 464Reputation: 464
Nobody cares about Slackware. So you are safe

Cheers
 
Old 03-18-2017, 05:13 AM   #4
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,060
Blog Entries: 4

Rep: Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384
Quote:
Originally Posted by tuubaaku View Post
Is there something preventing downloads from being manipulated by malicious actors?
OMG James Woods is in the tubes!!

https://pgp.mit.edu/pks/lookup?op=vi...4463C040102233
https://pgp.mit.edu/pks/lookup?op=ge...4463C040102233

Edit: to state the obvious, once you have that key, there is no need to download the ISO and its signature with https.

Edit-edit: and then you just check the ISO's signature. obvsly. sorry. Now I remember what happened last year, I can understand why you're worried.

Last edited by 55020; 03-18-2017 at 05:22 AM.
 
1 members found this post helpful.
Old 03-18-2017, 05:28 AM   #5
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-14.2 on Lenovo Thinkpad W520
Posts: 7,565

Rep: Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498Reputation: 2498
Quote:
Originally Posted by tuubaaku View Post
Is there a way to download Slackware ISOs and the gpg-key over https, instead of just http? Is there something preventing downloads from being manipulated by malicious actors?
I would (should, actually) import the key from a keyserver, e.g. "gpg --recv-keys key IDs". e.g. :
Code:
gpg2 --recv-keys  40102233
This is assuming that you have set a key server by default.

Then you can check the ISO against the key, even if you didn't use https to download it.

But, wait for answer from people more knowledgeable in that field.
EDIT: you got it while I was typing...

Last edited by Didier Spaier; 03-18-2017 at 05:32 AM.
 
1 members found this post helpful.
Old 03-18-2017, 06:05 AM   #6
GazL
Senior Member
 
Registered: May 2008
Posts: 4,370
Blog Entries: 7

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
If you don't have the key, downloading it from somewhere other than the same place you get the ISO is a wise move and the key server is as good a place as any. You should also check its fingerprint with someone who already has it before using it for extra reassurance.

Here's my copy:
Code:
root@ws1:~$ gpg --fingerprint 40102233
pub   1024D/40102233 2003-02-26 [expires: 2038-01-19]
      Key fingerprint = EC56 49DA 401E 22AB FA67  36EF 6A44 63C0 4010 2233
uid                  Slackware Linux Project <security@slackware.com>
sub   1024g/4E523569 2003-02-26 [expires: 2038-01-19]

Last edited by GazL; 03-18-2017 at 06:06 AM.
 
1 members found this post helpful.
Old 03-18-2017, 12:55 PM   #7
tuubaaku
Member
 
Registered: Oct 2004
Distribution: Slackware, Mint
Posts: 121

Original Poster
Rep: Reputation: 16
Thanks everyone for replying. I have verified my iso (without actually setting up the trust connection with the gpg key, but it's better than nothing). https://httpd.apache.org/dev/verification.html is helpful.

Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right? Doesn't that script just grab the GPG-KEY from the repo over http/ftp without any added security? What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?
 
Old 03-18-2017, 02:07 PM   #8
55020
Senior Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 1,060
Blog Entries: 4

Rep: Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384Reputation: 1384
Quote:
Originally Posted by tuubaaku View Post
Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right?
No. slackpkg only runs with the official Slackware repository. You only need to import the official GPG key once.

If you are using slackpkgplus for additional repos, then again, you only need to get each additional GPG key once. So you can get (for example) Alien Bob's key securely from a keyserver (gpg --keyserver pgp.mit.edu --recv-key 769EE011) before the first time you run slackpkgplus. After that, it doesn't matter if slackpkgplus uses http to download the packages and the signatures.
 
3 members found this post helpful.
Old 03-18-2017, 03:10 PM   #9
GazL
Senior Member
 
Registered: May 2008
Posts: 4,370
Blog Entries: 7

Rep: Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815Reputation: 1815
Quote:
Originally Posted by tuubaaku View Post
What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?

Mostly you only need to worry about the server you're downloading from being hacked and dubious files being substituted. If you're up against an adversary with the ability to do realtime intercept and MITM of all your key requests and communication channels then I'm afraid you've got much larger concerns than worrying about whether your slackware iso's have been tampered with.

Get the key from the key server and check the fingerprint as described above. Let the tin-foil hat brigade worry about the rest.

Last edited by GazL; 03-18-2017 at 03:12 PM.
 
1 members found this post helpful.
Old 03-18-2017, 07:47 PM   #10
tuubaaku
Member
 
Registered: Oct 2004
Distribution: Slackware, Mint
Posts: 121

Original Poster
Rep: Reputation: 16
Thanks again, everyone. I like the idea of getting the GPG keys separately from a key server instead of from the mirror.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
GPG and Signature Key on linux ISOs DW997 Linux - Newbie 1 05-17-2016 07:06 PM
[SOLVED] Slackware 14.0 GPG-KEY aaarnt Slackware 24 01-08-2013 08:08 AM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 09:37 AM
Can't download Livna GPG key garrik Fedora 2 06-10-2007 04:46 PM
BitTTorrent download of Slackware isos Douwe Slackware 2 11-28-2005 05:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 09:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration