Author brentsaner
Recipients brentsaner
Date 2015-08-10.05:02:16
Currently, the signatures offered are:

-SHA-256 GPG-signed..
-SHA-1 sums.

There are two main issues I take with this (and one minor annoyance), and do
hope you consider them (along with several recommended solutions).

1.) SHA-1 is broken[0]. If checksums are to be used, the SHA-2 suite (SHA256,
SHA384(uncommon), SHA512(recommended)) is recommended as an alternative. While
the hash itself *is* signed as SHA256 (via GPG), it is still a SHA-1 sum.

2.) However, and my preferred solution: why is a hash being GPG-signed? This
requires one to go through several steps simply to confirm the integrity.

3.) All of the signatures must be downloaded separately.

1.) (preferred) Instead of generating a checksum and then signing that checksum
separately, simply use:
 gpg --personal-digest-preferences SHA512 --output <some-release>.iso.sig
--detach-sign <some-release>.iso

This creates a standalone (or "detached") GPG signature (the default is to
include the data when performing a signature), using SHA-512. It then allows
users to perform a quick and simple "gpg --verify" (which requires no private
key to be generated, only that the GPG public key installed in the local
keyring- which would be necessary to confirm the present method of checksums

2.) A list of SHA-512 sums for ALL ISO/netboot/etc. images distributed, and then
that list is GPG-signed. This allows use of sha512sum -c in a scriptable manner
(one would only need to fetch the sig, strip out the GPG header/footer, and run
the check against that list).

3.) Use the present signing method, but use SHA-512 instead of SHA-1

I do hope this is considered for review. Thank you for your time, and all the
effort you put into grml.

Date User Action Args
2015-08-10 05:02:17brentsanersetrecipients: + brentsaner
2015-08-10 05:02:17brentsanersetmessageid: <>
2015-08-10 05:02:17brentsanerlinkissue1590 messages
2015-08-10 05:02:16brentsanercreate