Quote:
Originally Posted by cravuhaw2C
Finally, the clarification that the ISO images can't be verified using GPG tools.
|
I thought I had done so an hour earlier,
here. But I'm glad this is now clarified for you.
Quote:
|
For your info, the men-in-black are capable of corrupting all the mirrors of any Linux distro. Take Gentoo for example. One of their apps was infected with a backdoor and all of their mirrors contained the same infected file.
|
Then I am pleased to inform you that the cryptographic signatures that so concerned you in your posts to this forum to-date ...
would not provide any protection for this type of problem, whatsoever.
All that these systems do is prove is that the person with the private key has signed the plaintext, and that it subsequently arrived without change. Any other comfort or feeling of safety you take beyond that simple fact is an assumption on your part.
No digital signature system, including the GPG toolset you are familiar with, can prevent that plaintext from attacks before it is signed, nor protect you if the person who has signed it are themselves a bad actor.
For every one of us who uses software that came from others -- any software, of any kind, on any OS -- requires us to
trust. Whether cryptographic signatures are in use, or not.
You may not be aware that successful attacks on cryptographic certification frameworks have occurred many times. And they will occur again. The most recent public announcement of one was two days ago. Whenever they occur, they permit bad actors to portray themselves as trusted authorities.
This inherent weakness in established frameworks is one of the reasons that OpenBSD developed signify(1), as it limits the chain of trust to a single authority.