On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Many use plain HTTP to download openSUSE packages and images as the binary authenticity is not related to the security of the transport channel.
I agree, but that's not the issue.
You can find some instructions on validating downloaded openSUSE ISO images here: https://en.opensuse.org/SDB:Download_help#Checksums
Yup, but where do you get the One True Hash?
Apart from this, Let's Encrypt is as valid of a certificate authority as any other doing purely domain validation. Whether paid ones doing organization validation are more trustworthy is a debatable topic.
The issue is of validation of control of the domain. A hacker could take over opensuse.org, then take out a Let's Encrypt cert and distribute malware over the secure channel. Regards, Lew