Ludwig Nussel wrote:
Aleksa Sarai wrote:
On 29/02/16 20:02, Ludwig Nussel wrote:
Aleksa Sarai wrote:
Given the recent case of Linux Mint, I went to double-check how we deal with distribution of checksums and images. It looks like we just distribute them all without TLS, which means there's no hardening against MITM attacks on users trying to download openSUSE. In addition, I couldn't find any mention of GPG signatures for the releases, so there's no web-of-trust way of verifying that an image I download is one that was signed by the key of the cheif maintainers.
Check https://software.opensuse.org, section "Verify your download before use". The sha256 check sum files are signed inline using GPG.
While this might be true for Leap, this doesn't appear to be the case for Tumbleweed:
http://download.opensuse.org/tumbleweed/iso/openSUSE-Tumbleweed-NET-x86_64-C...
Interesting and unexpected :-) As you can see from the directory listing at http://download.opensuse.org/tumbleweed/iso/ the *-Current.iso.sha256 files don't actually exist. We only have .sha256 files for the files with the actual snapshot number in them. So I guess mirrorbrain generates the content when you request it. So I guess we need some clever redirect to the correct file there.
Ok, that part is done. Mind updating the wiki with instructions on how to use gpg to verify the download? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org