[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] ISO Signatures



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The Saturday 2008-06-14 at 09:22 +0100, Benji Weber wrote:

Greetings,

Could you please publish signatures for the 11.0 ISOs at release? I
believe they were never published for 10.3, I never got a reply to my
question on the subject[0].

I hope it does not take someone distributing a CD image with a goatse
bootloader and the same md5sum for this to be done.

__
[0] http://lists.opensuse.org/opensuse-security/2007-10/msg00001.html


I'm sorry, I don't quite understand. The checksum for the ISO file checks the entire ISO file including the bootloader, so I don't see how the bootloader can be altered and the iso still pass the test.

Perhaps you mean altering the internal check process of the install DVD? I suppose that would be possible, and would be possible even if pgp signatures were used. The only safe procedure is to test the iso file or dvd externally..


- -- Cheers,
       Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFIU59TtTMYHG2NR9URAt44AJ4vcV70pLaiwmbfa3hjw2PNrZCPxwCfcQfa
xGPGte6k0qVjp8POXSNoPQQ=
=2kol
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx