[Grml-devel] please provide https download at least for thesignature

Winston Weinert winston at ml1.net
Tue Nov 5 15:27:19 CET 2024 

On Mon, Oct 21, 2024, at 11:52, T N wrote:
> hi,

Hi, fellow GRML fan here.

> i get big warnings here trying to download grml:
>
> (something like "dont download this file: possible security risk" )
>
> cause its provided without encryption.
>
> Could you please provide https links (at least for the signature file 
> if it is impossible for the iso)

I believe the default download links to a geoip mirror selection service (download.grml.org) which redirects to a HTTP mirror. I believe some mirrors automatically redirect HTTP to HTTPS. Some browsers may also forcefully upgrade HTTP to HTTPS.

It is a bit odd that the geoip mirror selection service does not 
itself redirect to HTTPS mirrors when possible. (Check with

curl -sSIL https://download.grml.org/grml96-full_2024.02.iso | awk '/^Location:/ { print $2; }'

.) Opportunity for improvement perhaps ;)?

If you need a HTTPS mirror feel free to click on "Download from a specific mirror". 

> i tried to verify stuff but i am not sure if i did it in anyway right 
> and am more confused then before

GPG can be a bit confusing and can empathize with deferring to HTTPS's link authenticity guarantees instead. 

Unfortunately your trust in HTTPS might be misplaced: HTTPS offers authenticity on the link between your computer and the mirror. What if the mirror's files were tampered with? Mitigating risk of mirror tampering is beyond HTTPS's scope. This is where GPG signatures shine. 

I think many users eschew the verification step. It's a risk assessment that only you can decide on. Maybe it's sufficient to trust a HTTPS server with a good certificate, however, this trust really doesn't amount to anything beyond the webmaster has set up HTTPS correctly.

> owner at PC-G2H367S:~/Owner.win/Downloads$ gpg grml64-full_2024.02.iso.asc
> gpg: WARNING: no command supplied.  Trying to guess what you mean ...
> gpg: assuming signed data in 'grml64-full_2024.02.iso'
> gpg: Signature made Tue 27 Feb 2024 12:03:13 PM CET
> gpg:                using RSA key 
> 33CCB136401AFEC843A3876396A87872B7EA3737
> gpg: Good signature from "Michael Prokop <mail at michael-prokop.at>" 
> [unknown]
> gpg:                 aka "Michael Prokop 
> <michael.prokop at synpro.solutions>" [unknown]
> gpg:                 aka "Michael Prokop <mika at debian.org>" [unknown]
> gpg:                 aka "Michael Prokop <mika at grml.org>" [unknown]
> gpg:                 aka "Michael Prokop <prokop at grml-solutions.com>" 
> [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the 
> owner.
> Primary key fingerprint: 33CC B136 401A FEC8 43A3  8763 96A8 7872 B7EA 
> 3737

Yup verified fine and that key fingerprint matches the one listed on the download page. You might consider marking that key as trusted after your own cross-referencing of the download page's listed fingerprint. https://www.gnupg.org/gph/en/manual/x334.html This trust will suppress "WARNING: This key is not certified with a trusted signature!"

Hope that helps,
Winston
https://winny.tech/

More information about the Grml-devel mailing list