Bug 12180

Summary: GPG Signing of IPfire releases
Product: Infrastructure Reporter: gpatel-fr <gerard5609>
Component: Web SiteAssignee: Michael Tremer <michael.tremer>
Status: CLOSED DUPLICATE QA Contact:
Severity: Security    
Priority: - Unknown -    
Version: unspecified   
Hardware: unspecified   
OS: Unspecified   

Description gpatel-fr 2019-09-13 21:04:50 UTC 
Currently the IPfire releases have available Hashes allowing to verifying the download integrity on this page:
https://www.ipfire.org/download/ipfire-2.23-core135

Other distros are going further and allowing to verify the integrity of the hashes themselves, for example:
http://releases.ubuntu.com/bionic/
The hashes are stored in files and there are gpg files allowing to verify that the hashes (and the iso themselves) are originating from the developers, in case of the web page being hacked or of dns poisoning.

Ubuntu is not an isolated case, see for example
https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
https://getfedora.org/en/security/
https://alpinelinux.org/downloads/
http://mirrors.evowise.com/archlinux/iso/2019.09.01/

While this is not a pressing matter, I think that this would enhance ipfire standing and remove a small motivation for hackers to target ipfire, knowing that the hacked image could be detected relatively easily.
Comment 1 gpatel-fr 2019-09-13 21:19:07 UTC 
After posting this bug I noticed that it was already present.
Comment 2 gpatel-fr 2019-09-13 21:19:35 UTC 

*** This bug has been marked as a duplicate of bug 11345 ***