download verification with md5?
steffen at sdaoden.eu
Fri Jan 3 13:29:49 PST 2020
Edgar Pettijohn wrote in <20200103150805.EBA4B8E0537 at crater.dragonflybsd\
|On Jan 3, 2020 8:21 AM, Justin Sherrill <justin at shiningsilence.com> wrote:
|> On Fri, Jan 3, 2020 at 4:51 AM Michael Neumann <mneumann at ntecs.de> wrote:
|>> Given that your private key stays secured this adds another layer of
|>> security. Right now, even using SHA256 checksums would be no more secure
|>> in case you download the checksum file (md5.txt or sha256.txt) from the
|>> same mirror server as the file itself.
|>> If you need help setting this up, please let me know.
|> This is a good idea, and a very helpful writeup. I'm low on time (as
|> is everyone, always) but I'm not working this weekend - let me see how
|> far I get.
|Don't forget to post the public key and the hash of the key and sign \
|the key and arrange delivery of the key by armed escort to everyone \
|wishing to download it to ensure security.
The CRUX Linux distribution switched from MD5 hashs to signify.
Compared to GPG this is _very_ small and easy, and only meant for
exactly this purpose. Mind you, i for one could live with
improved OpenSSL tools -- they have the theoretical capability to
cover TLS / S/MIME / file checksumming and more, even multiple of
the latter in batch. Unfortunately that is not true in practice.
(And i won't be the one who implements it.)
Leah Neukirchen maintains up-to-date portable code on github, not
only of that.
Please let me, as a non-mathematician non-cryptographer, wonder
how unsafe MD5 for the purpose of file-checksumming really is.
--End of <20200103150805.EBA4B8E0537 at crater.dragonflybsd.org>
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
More information about the Users