Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 05-17-2016, 07:57 PM   #1
LQ Newbie
Registered: May 2016
Posts: 1

Rep: Reputation: Disabled
GPG and Signature Key on linux ISOs


Why do many linux distributions don't use gpg and a signature file to verify iso files? Many use the usual md5sum and sha variants. There is more work involved when using the gpg method, but I believe it's better in the long run.
Old 05-17-2016, 08:06 PM   #2
Senior Member
Registered: Sep 2010
Location: Wellington, New Zealand
Distribution: Slackware, Fedora
Posts: 1,024

Rep: Reputation: 665Reputation: 665Reputation: 665Reputation: 665Reputation: 665Reputation: 665
GPG supports the identity of the person distributing the file. SHAsum supports the identity of the file.

GPG, for instance, requires that someone owns a private key file, and they often use that keyfile in communication with other people, so there's a sense that yes, this keyfile is a file that This Person owns and has a passphrase to use, so I trust that when I get a file that is signed with that keyfile's signature, then it really is something coming from that person. (unless that person has been captured and tortured, or had both their keyfile AND passphrase stolen).

A SHAsum just looks at bits and verifies that they haven't changed. That's usually pretty good, but from what I understand, it can eventually be spoofed (not easily, but still...). There's no sense of personal interaction, either, so if an ISO gets posted online and they're always signed by this one dev, but suddenly it's signed with a different key, I might be prompted to investigate what's going on - was the old key deprecated and s/he has a new key now, or is someone trying to slip something by me?

There may be lower level reasons (gpg integration with a build system, that sort of thing) but that's my understanding of the reasoning.
2 members found this post helpful.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Python - Obtain GPG key id from detatched signature file 0x53h Programming 0 10-23-2014 06:46 AM
[SOLVED] gpg - Can't check signature: public key not found when decrypting file ilesterg Linux - Security 3 02-12-2014 10:52 AM
GPG: Bad session key gpg between gpg on linux and gpg gui on windows XP konqi Linux - Software 1 07-21-2009 10:37 AM
Smart Key Signature ERRORS! How do I delete this bad key from my computer? Balarabay1 Linux - Software 4 09-27-2006 12:01 PM
does not have GPG signature mackol Linux - Software 0 05-26-2004 10:57 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:47 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration