On 6/25/23 22:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
Ah, good point. Maybe only the unwary are threatened? Still, domain-validated certs do present a security threat, however small. In a manner of speaking they're like self-signed certs, except their CA's are recognized by browsers. But I don't think that browsers report a cert as being EV anymore, so the whole thing may be moot anyway. Regards, Lew