Cryptografically signed ISO images
RW
rwmaillists at googlemail.com
Mon Mar 3 16:02:25 UTC 2014
On Mon, 3 Mar 2014 09:50:05 -0600 (CST)
Valeri Galtsev wrote:
> The only difference I see in general between the signature and SHA-2
> hash is in a chain of trust. The rest (assurance that what you have
> resembles the signature in one case or SHA-2 hash in the other) is on
> the same level of security. Chain of trust is different though: in
> case of pgp or gpg signature you know the public key of signee from
> some published source (i.e. you trust that source). In case of SHA-2
> hash you have to trust the web site that provides the hashes, which
> you accomplish by verifying that SSL Certificate the site presents is
> signed by trusted authority and by common sense (is this site related
> to FreeBSD thus authoritative to provide signatures or not).
>
> If someone sees mistake(s) in what I said, please, let me know.
That's fine if you can download the checksum files by HTTPS, but on an
FTP server it's no more that a check against corruption.
More information about the freebsd-questions
mailing list