slackware iso's

Thomas Stivers stivers_t at tomass.dyndns.org
Tue Dec 2 05:55:13 EST 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/01/03  5:30 PM -0600, Gregory Nowak wrote:
> I used the gpg method you describe below. However, it occurred to me
> that there is nothing stopping someone from potentially cracking an
> ftp server, and changing the iso image, while leaving the asc file
> intact. So, doing gpg --verify <ascfilename> would still tell you the
> signature is correct, even though the iso(s) had been messed with.

The signature file is verified against the iso. If you didn't have it in
the same directory or if it was corrupted the signature wouldn't verify.

> Am I missing something here, or is this train of thought actually
> correct. If this train of thought is correct, then what's the point of
> the .asc file, other then to give an unsuspecting user a false sense
> of security?

I suppose it is possible that someone could generate a new key with a
userid of security at slackware.com, but you would probably hear about
something like that from other sources.

- -- 
Unix is a user friendly operating system. It just picks its friends more
carefully than others.
Thomas Stivers	e-mail: stivers_t at tomass.dyndns.org	gpg: 45CBBABD
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/zG+Q5JK61UXLur0RApkTAJ9IsDX8l2sHmlBD0qVqXdS1y/9WFgCeLjaY
f10hopMOWpo7JmVYdbAICRg=
=dGsW
-----END PGP SIGNATURE-----




More information about the Speakup mailing list