download verification with md5?

Michael Neumann mneumann at ntecs.de
Fri Jan 3 01:51:01 PST 2020


On Thu, Jan 02, 2020 at 11:02:05PM -0500, Justin Sherrill wrote:
> Agreed, you should generally have https everywhere, but I don't have
> time to work on that machine tonight.  If it helps:
> 
> SHA512 (dfly-x86_64-5.6.2_REL.img.bz2) =
> 9efd1c1d85408ced59f4ab9509178358971e49627094c75a45b9533ac4a20753380237635a2c0c3c3d09e150a195770b5917866e93bf6e0d8cbbe5c90637b41f
> SHA512 (dfly-x86_64-5.6.2_REL.img) =
> f2860ff51d3cb162933cca1d38fabdf1920a8aa91c1fe0cefe351cbc14c7abaa638958e6d0042b02efde6375e916222bbafd18d03d9cde94369ef1e293e25092
> SHA512 (dfly-x86_64-5.6.2_REL.iso) =
> 3af1f8a8cf5ead7d9e9afbd3392821ed74398aca94239c77114c8c75a74af7f1e78b760dffebef6d452b0d9502724fbc3eeded718c845378f3847e6ca2eca57b
> SHA512 (dfly-x86_64-5.6.2_REL.iso.bz2) =
> 97407ab9c0c2bf9d459cd8f9d2d2796dd4466a8cfe67692eaaa2cf833eea16670ba7ab075dd76678ef979492cb9336ee332b49a5664b62f297660fa930c1e86d

Thanks Justin!

Would be great if you could in addition provide .asc signatures for the
files using security/gnupg.

1. Create key: gpg --gen-key

2. Export public key (put on website): gpg --export --armor youremailaddress > mykey.asc

3. Sign file: gpg --armor --detach-sign snapshot.tar.gz

4. Upload snapshot.tar.gz.asc

Then, everyone who trusts your public key can verify that these binaries
were actually signed by you using:

gpg --verify snapshot.tar.gz.asc snapshot.tar.gz

Given that your private key stays secured this adds another layer of
security. Right now, even using SHA256 checksums would be no more secure
in case you download the checksum file (md5.txt or sha256.txt) from the
same mirror server as the file itself.

If you need help setting this up, please let me know.

Regards,

  Michael

> 
> On Thu, Jan 2, 2020 at 2:59 PM inter.service.intelligence
> <inter.service.intelligence at protonmail.ch> wrote:
> >
> > hey,
> > I was thinking about installing dragonflybsd but the download page doesn't show any hashes except md5, which is a joke at this point. Quote "cryptographically broken and unsuitable for further use"
> >
> > Is that the approach to security at dragonflybsd? a md5 approach?
> >
> > furthermore: there is no https on the http://lists.dragonflybsd.org/ and it handles sensitive information like an email.
> >
> >
> > Really not encouraging for security minded users like me.
> >
> > Greets
> >
> >

-- 
Michael Neumann
NTECS Consulting
www.ntecs.de



More information about the Users mailing list