From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pc-24-151-10-129.newt1.ct.charter.com ([24.151.10.129] helo=h14me.homelinux.net) by speech.braille.uwo.ca with esmtp (Exim 3.36 #1 (Debian)) id 1AQxah-0006L6-00 for ; Mon, 01 Dec 2003 18:36:31 -0500 Received: from h14me.homelinux.net (localhost [127.0.0.1]) by h14me.homelinux.net (8.12.10/8.12.10) with ESMTP id hB1Nbbhb011573 for ; Mon, 1 Dec 2003 18:37:37 -0500 Received: (from alex_snow@localhost) by h14me.homelinux.net (8.12.10/8.12.10/Submit) id hB1NbbiY011572 for speakup@braille.uwo.ca; Mon, 1 Dec 2003 18:37:37 -0500 Date: Mon, 1 Dec 2003 18:37:37 -0500 From: Alex Snow To: "Speakup is a screen review system for Linux." Message-ID: <20031201233737.GF11515@gmx.net> References: <20031201221230.GA274@chris> <20031201223040.GA6936@tomass.dyndns.org> <20031201233006.GB7997@romuald.net.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20031201233006.GB7997@romuald.net.eu.org> User-Agent: Mutt/1.4.1i Subject: Re: slackware iso's X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.1.3 Precedence: list Reply-To: "Speakup is a screen review system for Linux." List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Dec 2003 23:36:32 -0000 the signature won't varify if the iso has been modified. so theoretically the only way of screwing with an iso and not letting the user know whould be to somehow obtain the private key of the original signer, modify the iso, and regenerate the sig. On Mon, Dec 01, 2003 at 05:30:06PM -0600, Gregory Nowak wrote: > I used the gpg method you describe below. However, it occurred to me > that there is nothing stopping someone from potentially cracking an > ftp server, and changing the iso image, while leaving the asc file > intact. So, doing gpg --verify would still tell you the > signature is correct, even though the iso(s) had been messed with. > > Am I missing something here, or is this train of thought actually > correct. If this train of thought is correct, then what's the point of > the .asc file, other then to give an unsuspecting user a false sense > of security? > > Greg > > > On Mon, Dec 01, 2003 at 04:30:41PM -0600, Thomas Stivers wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > On 12/01/03 5:12 PM -0500, Christopher Moore wrote: > > > Hi gang, > > > What do you do with the .asc and .md5 files associated with the slackware > > > iso's? I think they have something to do with checking the accuracy of the > > > iso image but not sure how to use them. > > > > They are an md5 checksum and ascii armored openpgp signature. To make > > use of them you will need the program md5sum (in the textutils package I > > believe) and either gpg or pgp. For the md5 file do "md5sum -c > > " and for the asc file use "gpg --verify ". > > For the signature you will need the public key of > > security@slackware.com, which is available on pgp keyservers everywhere > > (I.E. wwwkeys.pgp.net). > > > > - -- > > Unix is a user friendly operating system. It just picks its friends more > > carefully than others. > > Thomas Stivers e-mail: stivers_t@tomass.dyndns.org gpg: 45CBBABD > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.3 (GNU/Linux) > > > > iD8DBQE/y8EQ5JK61UXLur0RAj/KAJ4mojGKlm+3ZaWbJCzYanmzWfhmigCbBX66 > > ek6+naFZlRCZhCnl3QWA+6Q= > > =ZyfA > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > -- > Free domains: http://www.eu.org/ or mail dns-manager@EU.org > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup -- Always borrow money from a pessimist; he doesn't expect to be paid back.