slackware iso's

[Gregory Nowak]

I used the gpg method you describe below. However, it occurred to me
that there is nothing stopping someone from potentially cracking an
ftp server, and changing the iso image, while leaving the asc file
intact. So, doing gpg --verify <ascfilename> would still tell you the
signature is correct, even though the iso(s) had been messed with.

Am I missing something here, or is this train of thought actually
correct. If this train of thought is correct, then what's the point of
the .asc file, other then to give an unsuspecting user a false sense
of security?

Greg


On Mon, Dec 01, 2003 at 04:30:41PM -0600, Thomas Stivers wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12/01/03  5:12 PM -0500, Christopher Moore wrote:
> > Hi gang,
> > What do you do with the .asc and .md5 files associated with the slackware
> > iso's?  I think they have something to do with checking the accuracy of the
> > iso image but not sure how to use them.
> 
> They are an md5 checksum and ascii armored openpgp signature. To make
> use of them you will need the program md5sum (in the textutils package I
> believe) and either gpg or pgp. For the md5 file do "md5sum -c
> <md5filename>" and for the asc file use "gpg --verify <ascfilename>".
> For the signature you will need the public key of
> security at slackware.com, which is available on pgp keyservers everywhere
> (I.E. wwwkeys.pgp.net). 
> 
> - -- 
> Unix is a user friendly operating system. It just picks its friends more
> carefully than others.
> Thomas Stivers	e-mail: stivers_t at tomass.dyndns.org	gpg: 45CBBABD
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> 
> iD8DBQE/y8EQ5JK61UXLur0RAj/KAJ4mojGKlm+3ZaWbJCzYanmzWfhmigCbBX66
> ek6+naFZlRCZhCnl3QWA+6Q=
> =ZyfA
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
Free domains: http://www.eu.org/ or mail dns-manager at EU.org