SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a way to download Slackware ISOs and the gpg-key over https, instead of just http? Is there something preventing downloads from being manipulated by malicious actors?
Is there a way to download Slackware ISOs and the gpg-key over https, instead of just http? Is there something preventing downloads from being manipulated by malicious actors?
I would (should, actually) import the key from a keyserver, e.g. "gpg --recv-keys key IDs". e.g. :
Code:
gpg2 --recv-keys 40102233
This is assuming that you have set a key server by default.
Then you can check the ISO against the key, even if you didn't use https to download it.
But, wait for answer from people more knowledgeable in that field.
EDIT: you got it while I was typing...
Last edited by Didier Spaier; 03-18-2017 at 05:32 AM.
If you don't have the key, downloading it from somewhere other than the same place you get the ISO is a wise move and the key server is as good a place as any. You should also check its fingerprint with someone who already has it before using it for extra reassurance.
Thanks everyone for replying. I have verified my iso (without actually setting up the trust connection with the gpg key, but it's better than nothing). https://httpd.apache.org/dev/verification.html is helpful.
Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right? Doesn't that script just grab the GPG-KEY from the repo over http/ftp without any added security? What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?
Once slackware is installed, to use slackpkg, we run slackpkg update gpg for each new repo, right?
No. slackpkg only runs with the official Slackware repository. You only need to import the official GPG key once.
If you are using slackpkgplus for additional repos, then again, you only need to get each additional GPG key once. So you can get (for example) Alien Bob's key securely from a keyserver (gpg --keyserver pgp.mit.edu --recv-key 769EE011) before the first time you run slackpkgplus. After that, it doesn't matter if slackpkgplus uses http to download the packages and the signatures.
What's keeping someone from intercepting that request and returning an invalid gpg key for the repo?
Mostly you only need to worry about the server you're downloading from being hacked and dubious files being substituted. If you're up against an adversary with the ability to do realtime intercept and MITM of all your key requests and communication channels then I'm afraid you've got much larger concerns than worrying about whether your slackware iso's have been tampered with.
Get the key from the key server and check the fingerprint as described above. Let the tin-foil hat brigade worry about the rest.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.