Lew Wolfgang <wolfgang@sweet-haven.com> writes:
On 6/25/23 22:09, Johannes Kastl wrote:
Good morning,
On 26.06.23 at 05:19 Lew Wolfgang wrote:
On 6/25/23 14:55, Georg Pfuetzenreuter via openSUSE Factory wrote:
Hi,
all packages are signed using GPG - you can establish trust by validating their signatures. ISO images are shipped together with a signed checksum you can validate and compare.
Yes, sha256 hashes are good. But where do you get the hash from? The same site that offers the ISO? What could possibly go wrong?
Georg already wrote that the checksum is signed. Hence you can check if the checksum you downloaded is legit. Of course for that you need to trust the openSUSE GPG key.
Ah, good point. Maybe only the unwary are threatened?
Still, domain-validated certs do present a security threat, however small. In a manner of speaking they're like self-signed certs, except their CA's are recognized by browsers. But I don't think that browsers report a cert as being EV anymore, so the whole thing may be moot anyway.
EV certificates are the same thing as domain validated certficates. The only difference is that the certificate authority *claims* that they have verified that the owner of the domain is a legitimate business. But since such a verification is not standardized in any fashion, it's actual quality and usefulness varies wildly. Cheers, Dan -- Dan Čermák <dcermak@suse.com> Software Engineer Development tools SUSE Software Solutions Germany GmbH Frankenstrasse 146 90461 Nürnberg Germany (HRB 36809, AG Nürnberg) Managing Director/Geschäftsführer: Ivo Totev, Andrew Myers, Andrew McDonald, Boudien Moerman