Bug #7056
closed
Add gpg keys to repo for proper iso download verification method
0%
Description
Currently there is no legitimate way to properly verify the .iso download has not been tampered with.
The sha256 files are not signed, and are posted on the same server that the files are hosted on.
The key must be web of trust signed by "trusted" third parties to prevent a simple hack of a webpage and the replacement of the signature and key ID that users should fetch.
Updated by Jim Pingle over 8 years ago
- Status changed from New to Duplicate
Duplicate of #4472
That said, a copy of the hash is on the same server as the files, but the hash is also available from the downloads page hosted on a different server:
Updated by John Smith over 8 years ago
Ah, I had assumed it was simply two httpd's on the same box as they had an adjacent IP address.
Still however, if someone can hack or MITM one httpd they do two and the CA infrastructure is incredibly unreliable.
The problem with hashes is that they only apply to that single release, you can't simply (like with keys) download a key and use it to verify ex: the next 5 releases.
The other ticket is two years old so I did not notice it.
Every other real distro does this and it would not be hard or take much time to do.