You are not logged in.

#1 2018-09-06 13:22

Lnx5i
Member
Registered: 2018-09-06
Posts: 3

Signed iso images and installer with GPG

I think you should sign the Windows installer and iso images with GnuPG. If you can't afford a certificate for the Windows installer (I know it's very expensive) you could sign the files with GnuPG. It doesn't cost anything and it will give people reassurance that they're downloading the real thing, so to speak. People with high security requirements can be sure it has not been modified, that they're not downloading a bad or malicious version.

The checksums only answer the question "Did I download this file properly?" whilst the gpg crypto signatures give answer to the question "Is this the file the developers intended me to get?". You should also use a different checksum than md5, since hasn't that  been broken for a while now? I recommend sha-2 (not sha-1), sha-256 or sha-512 (kind of overkill?).

This will make q4os safer to use. smile

Offline

#2 2019-02-24 10:13

Rademes
Member
From: Latvia
Registered: 2015-12-13
Posts: 364

Re: Signed iso images and installer with GPG

UP!
I also wonder, why q4osteam still does not sign their images with GnuPG. Also the checksum algorithm should be different. MD5 is not strong enough... SHA256 is the best option in my opinion.
Still, almost all mature Linux distributions are GnuPG signed, and that makes them more trustful for downloading and testing.

Last edited by Rademes (2019-02-24 10:34)

Offline

Board footer

Powered by FluxBB