slackware iso's

Alex Snow alex_snow at gmx.net
Mon Dec 1 18:37:37 EST 2003


the signature won't varify if the iso has been modified. so 
theoretically the only way of screwing with an iso and not letting the 
user know whould be to somehow obtain the private key of the original 
signer, modify the iso, and regenerate the sig.
On 
Mon, Dec 01, 2003 at 05:30:06PM -0600, Gregory Nowak wrote:
> I used the gpg method you describe below. However, it occurred to me
> that there is nothing stopping someone from potentially cracking an
> ftp server, and changing the iso image, while leaving the asc file
> intact. So, doing gpg --verify <ascfilename> would still tell you the
> signature is correct, even though the iso(s) had been messed with.
> 
> Am I missing something here, or is this train of thought actually
> correct. If this train of thought is correct, then what's the point of
> the .asc file, other then to give an unsuspecting user a false sense
> of security?
> 
> Greg
> 
> 
> On Mon, Dec 01, 2003 at 04:30:41PM -0600, Thomas Stivers wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > On 12/01/03  5:12 PM -0500, Christopher Moore wrote:
> > > Hi gang,
> > > What do you do with the .asc and .md5 files associated with the slackware
> > > iso's?  I think they have something to do with checking the accuracy of the
> > > iso image but not sure how to use them.
> > 
> > They are an md5 checksum and ascii armored openpgp signature. To make
> > use of them you will need the program md5sum (in the textutils package I
> > believe) and either gpg or pgp. For the md5 file do "md5sum -c
> > <md5filename>" and for the asc file use "gpg --verify <ascfilename>".
> > For the signature you will need the public key of
> > security at slackware.com, which is available on pgp keyservers everywhere
> > (I.E. wwwkeys.pgp.net). 
> > 
> > - -- 
> > Unix is a user friendly operating system. It just picks its friends more
> > carefully than others.
> > Thomas Stivers	e-mail: stivers_t at tomass.dyndns.org	gpg: 45CBBABD
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.3 (GNU/Linux)
> > 
> > iD8DBQE/y8EQ5JK61UXLur0RAj/KAJ4mojGKlm+3ZaWbJCzYanmzWfhmigCbBX66
> > ek6+naFZlRCZhCnl3QWA+6Q=
> > =ZyfA
> > -----END PGP SIGNATURE-----
> > 
> > _______________________________________________
> > Speakup mailing list
> > Speakup at braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> -- 
> Free domains: http://www.eu.org/ or mail dns-manager at EU.org
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

-- 
Always borrow money from a pessimist; he doesn't expect to be paid
back.





More information about the Speakup mailing list