2

I've downloaded and installed sabayon, but all I can find to verify that iso image is an md5sum that can only be downloaded from the same insecure mirrors.

  • md5 checksums are not cryptographically secure -- that should be at least sha256.
  • the mirrors to download that checksum from use only insecure protocols (http, ftp, rsync), therefore can not be trusted.
  • I can't find anything about security issues on Google (at least while I'm running sabayon). Is this distribution designed to pleasure hackers and supported by the NSA? (or am I paranoid?)
  • would it be secure to install sabayon via gentoo-overlay? (or is there a similar but secure gentoo-based distro out there?)
Tim
  • 1,023
  • 5
  • 20
comonad
  • 121
  • 3
  • I guess you're paranoid a bit, but why can't you just download and install original Gentoo? That could help you with fear of obtaining wrong file. – MatthewRock Apr 09 '16 at 13:26
  • i did run gentoo only on my desktop and servers, did choose sabayon for my laptop. to install sabayon via gentoo is more time consuming than to install via iso. so, yes, i could, but i only need secure verification, which should not take more than 1 minute to do. – comonad Apr 09 '16 at 21:33

1 Answers1

0

The md5sum is for verifying that the ISO is completely and correctly downloaded, not for verifying the source of the uploader.

However, there often is another file - an asc-or pgp-file - this contain a detached pgp-signature, and can be used to verify the source of the files. The detached signature is often for the md5-file (not the ISO-file itself); but if the md5-file is genuine and it tells you the ISO-file's checksum is correct, then you have an intact chain which ensure the ISO-file is genuine too.

It doesn't really matter if the download-site for all is insecure. If either or all of the files were tampered with, that would be detected by pgp. As long as the author's secret-key hasn't been compromised - or you haven't been mislead to verify the download with a false public-key (a key only pretending to be by the author - then you'll detect any tampering. Either because the ISO-file's checksum doesn't match, because the md5-file can't be verified, or because gpg fails to correctly process the detached signature with the author's public-key

For example, you've downloaded image.iso. You verify that it's correctly downloaded by finding it's md5sum and comparing it to the contents of the image.iso.md5 file. Then you take the image.iso.md5.asc and the public pgp-key of the uploader/programmer, and use gpg to confirm that the image.iso.md5 is genuine and untampered. Assuming it is, then also your ISO-file is - assuming the md5-checksum matched.

Baard Kopperud
  • 7,023
  • 6
  • 42
  • 62
  • I know how to verify any .asc signature. can't find any. and even if there were any .iso.md5.asc file, i believe that with some effort it is quite possible to create a different iso with the same md5sum -- should have been possible for the last 10 years. – comonad Apr 09 '16 at 18:36