[issue1590] download signatures should be detatched GPG signatures

brent s. bts at bts.grml.org
Mon Aug 10 07:02:17 CEST 2015 

New submission from brent s. <bts at square-r00t.net>:

Currently, the signatures offered are:

-SHA-256 GPG-signed..
-SHA-1 sums.

There are two main issues I take with this (and one minor annoyance), and do
hope you consider them (along with several recommended solutions).

1.) SHA-1 is broken[0]. If checksums are to be used, the SHA-2 suite (SHA256,
SHA384(uncommon), SHA512(recommended)) is recommended as an alternative. While
the hash itself *is* signed as SHA256 (via GPG), it is still a SHA-1 sum.

2.) However, and my preferred solution: why is a hash being GPG-signed? This
requires one to go through several steps simply to confirm the integrity.

3.) All of the signatures must be downloaded separately.


SOLUTION PROPOSAL:
1.) (preferred) Instead of generating a checksum and then signing that checksum
separately, simply use:
 gpg --personal-digest-preferences SHA512 --output <some-release>.iso.sig
--detach-sign <some-release>.iso

This creates a standalone (or "detached") GPG signature (the default is to
include the data when performing a signature), using SHA-512. It then allows
users to perform a quick and simple "gpg --verify" (which requires no private
key to be generated, only that the GPG public key installed in the local
keyring- which would be necessary to confirm the present method of checksums
anyways).

2.) A list of SHA-512 sums for ALL ISO/netboot/etc. images distributed, and then
that list is GPG-signed. This allows use of sha512sum -c in a scriptable manner
(one would only need to fetch the sig, strip out the GPG header/footer, and run
the check against that list).

3.) Use the present signing method, but use SHA-512 instead of SHA-1


I do hope this is considered for review. Thank you for your time, and all the
effort you put into grml.


[0] https://www.schneier.com/blog/archives/2005/02/sha1_broken.html

----------
messages: 5220
nosy: brentsaner
priority: bug
status: unread
title: download signatures should be detatched GPG signatures

_____________________________________
GRML issue tracker <bts at bts.grml.org>
<http://bts.grml.org/grml/issue1590>
_____________________________________

More information about the Bugs-changes mailing list