This is suggested by Mark Rijckenberg from Belfius: Hi, I noticed that your team still distributes SHA1 checksums for the .iso images for IPFire at – for example – the following URL: http://downloads.ipfire.org/release/ipfire-2.19-core110 May I kindly ask you to take a look at the following links? https://en.wikipedia.org/wiki/Secure_Hash_Algorithms https://github.com/gobolinux/LiveCD/issues/8 MD5, SHA-0 and SHA1 are all vulnerable to collision attacks. SHA256 (or SHA512) is now the standard (for the moment). I highly recommend dropping the use of SHA1 and replacing it with only SHA256 (or SHA512). I am simply using Qubes OS as an excellent point of reference, which uses SHA256 and SHA512. https://www.qubes-os.org/security/verifying-signatures/ https://www.qubes-os.org/downloads/ Concerning the use of Bittorrent, could you please read this? https://www.ghacks.net/2016/02/21/linux-mint-hacked-iso-images-compromised/ If you put the .iso image and corresponding SHA256 checksum file in a .zip file and distribute it immediately via Bittorrent BEFORE hosting it on a website, hackers will probably not be able to compromise the integrity of the .iso image, because the SHA256 checksum in the Bittorrent file is much harder to alter than one stored on a website. Furthermore, you then have the option of comparing the SHA256 value in the .torrent file with the value on the website. This goes even further than what most GNU/Linux distributions actually do…. “The reason is simple; popular torrents are distributed from several seeders and peers, and once they are in circulation, it is not possible to manipulate the data, say replace it with a hacked image.” ---- Goal would be to create a detached PGP signature and include that in the torrent files and show that on the website so that every downloader can verify our ISO images.
* ping * ;-)
- ping - (again) If there is something I can do for solving this, let me know. sha1-diediedie :-)
(In reply to Peter Müller from comment #2) > - ping - (again) > > If there is something I can do for solving this, let me know. > > sha1-diediedie :-) Yes, you could implement all of this :)
Okay. If any questions arise, I will let you know.
Seems like I do not have access to the webserver. Could you please show me which is the correct machine and grant access to it? Thanks.
What do you need access to the web server for?
(In reply to Michael Tremer from comment #6) > What do you need access to the web server for? Well, I guess the installation media checksums are living on some webserver (downloads.ipfire.org) ...
Forget about my last comment. Just found the webapp file... :-\
https://git.ipfire.org/?p=ipfire.org.git;a=commit;h=752c8888e6038fec2f8b3fc1b97deb8b91a4dbce implements SHA256 checksums on website if available. (Thanks, Michael.)
Hi, Thank you for implementing the SHA256 checksums on your website. I found them here: https://www.ipfire.org/download/ipfire-2.21-core125 Regards, Mark Rijckenberg
Hey, thanks for being quicker than me. I added those to the database yesterday with the release. However, this isn't the end of the story for me. I still want a proper signature on the images instead of a cryptographically secure checksum. The purpose of the checksum is still being a checksum and nothing else :)
*** Bug 12180 has been marked as a duplicate of this bug. ***
Note that most distros are not signing the images themselves (too big), they are signing the hashes instead (see my bug 12180 for links showing that)