download verification with md5?
mneumann at ntecs.de
Fri Jan 3 01:51:01 PST 2020
On Thu, Jan 02, 2020 at 11:02:05PM -0500, Justin Sherrill wrote:
> Agreed, you should generally have https everywhere, but I don't have
> time to work on that machine tonight. If it helps:
> SHA512 (dfly-x86_64-5.6.2_REL.img.bz2) =
> SHA512 (dfly-x86_64-5.6.2_REL.img) =
> SHA512 (dfly-x86_64-5.6.2_REL.iso) =
> SHA512 (dfly-x86_64-5.6.2_REL.iso.bz2) =
Would be great if you could in addition provide .asc signatures for the
files using security/gnupg.
1. Create key: gpg --gen-key
2. Export public key (put on website): gpg --export --armor youremailaddress > mykey.asc
3. Sign file: gpg --armor --detach-sign snapshot.tar.gz
4. Upload snapshot.tar.gz.asc
Then, everyone who trusts your public key can verify that these binaries
were actually signed by you using:
gpg --verify snapshot.tar.gz.asc snapshot.tar.gz
Given that your private key stays secured this adds another layer of
security. Right now, even using SHA256 checksums would be no more secure
in case you download the checksum file (md5.txt or sha256.txt) from the
same mirror server as the file itself.
If you need help setting this up, please let me know.
> On Thu, Jan 2, 2020 at 2:59 PM inter.service.intelligence
> <inter.service.intelligence at protonmail.ch> wrote:
> > hey,
> > I was thinking about installing dragonflybsd but the download page doesn't show any hashes except md5, which is a joke at this point. Quote "cryptographically broken and unsuitable for further use"
> > Is that the approach to security at dragonflybsd? a md5 approach?
> > furthermore: there is no https on the http://lists.dragonflybsd.org/ and it handles sensitive information like an email.
> > Really not encouraging for security minded users like me.
> > Greets
More information about the Users