From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from cardinal.mail.pas.earthlink.net ([207.217.121.226]) by speech.braille.uwo.ca with esmtp (Exim 3.36 #1 (Debian)) id 1AQxUV-0006Bl-00 for ; Mon, 01 Dec 2003 18:30:07 -0500 Received: from h-68-166-89-140.chcgilgm.covad.net ([68.166.89.140] helo=linserver.romuald.net.eu.org) by cardinal.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1AQxUN-00017B-00 for speakup@braille.uwo.ca; Mon, 01 Dec 2003 15:29:59 -0800 Received: (qmail 8105 invoked by uid 1023); 1 Dec 2003 23:30:06 -0000 Date: Mon, 1 Dec 2003 17:30:06 -0600 From: Gregory Nowak To: "Speakup is a screen review system for Linux." Message-ID: <20031201233006.GB7997@romuald.net.eu.org> References: <20031201221230.GA274@chris> <20031201223040.GA6936@tomass.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031201223040.GA6936@tomass.dyndns.org> User-Agent: Mutt/1.4.1i Subject: Re: slackware iso's X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.3 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2003 23:30:07 -0000 I used the gpg method you describe below. However, it occurred to me that there is nothing stopping someone from potentially cracking an ftp server, and changing the iso image, while leaving the asc file intact. So, doing gpg --verify would still tell you the signature is correct, even though the iso(s) had been messed with. Am I missing something here, or is this train of thought actually correct. If this train of thought is correct, then what's the point of the .asc file, other then to give an unsuspecting user a false sense of security? Greg On Mon, Dec 01, 2003 at 04:30:41PM -0600, Thomas Stivers wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/01/03 5:12 PM -0500, Christopher Moore wrote: > > Hi gang, > > What do you do with the .asc and .md5 files associated with the slackware > > iso's? I think they have something to do with checking the accuracy of the > > iso image but not sure how to use them. > > They are an md5 checksum and ascii armored openpgp signature. To make > use of them you will need the program md5sum (in the textutils package I > believe) and either gpg or pgp. For the md5 file do "md5sum -c > " and for the asc file use "gpg --verify ". > For the signature you will need the public key of > security@slackware.com, which is available on pgp keyservers everywhere > (I.E. wwwkeys.pgp.net). > > - -- > Unix is a user friendly operating system. It just picks its friends more > carefully than others. > Thomas Stivers e-mail: stivers_t@tomass.dyndns.org gpg: 45CBBABD > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (GNU/Linux) > > iD8DBQE/y8EQ5JK61UXLur0RAj/KAJ4mojGKlm+3ZaWbJCzYanmzWfhmigCbBX66 > ek6+naFZlRCZhCnl3QWA+6Q= > =ZyfA > -----END PGP SIGNATURE----- > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- Free domains: http://www.eu.org/ or mail dns-manager@EU.org