On 12/26/2016 07:35 AM, NicoHood wrote:
Yesterday I wanted to install ArchLinux on someone else computer. He used Windows until now and had no gpg handy yet (it is really annoying to install on windows).
What is wrong with, say, Gpg4win? Okay, it is difficult to *trust* the software without any way of securely proving it itself hasn't been backdoored. Then again, how did *you* initially trust your Linux distribution? But I don't see why it would be especially difficult to *install* on Windows.
So we needed to verify the source otherwise. But there was no real option as md5/sha1 is broken and his internet is too slow to download it again via torrent. We did not install Arch then and I will send him my sha512sum from my computer the next days where I did a torrent download.
I was under the impression that sha1 works just fine, and will for a little while yet. Preimage attacks haven't been suggested to be feasible yet, to my knowledge. Though we should still move off sha1 simply because it is continually weakening and on its last legs (or already broken for some functionality), I am pretty sure your friend is safe...
ArchLinux wants to KISS, so we should simply add stronger hashes instead of requiring the user to download two tools. Its quite a struggle to find a hash tool for windows anyways.
I am not overly familiar with the checksumming landscape in Windows-land, but I could have sworn all the common tools I found back in "the day" were capable of verifying a range of hash functions, much like coreutils as a set is capable of verifying a range of hash functions. Why do you need two tools?
Also the website should state from which person the signature is and which fingerprint it uses. I still could not find this information (otherwise I'd contact this person).
Usually gpg tells you this automagically. :p Anyway, the key already has full trust from pacman-key, if you are verifying from an Arch system... also, the frontpage has a link[1] to the canonical master keys "for all Arch Linux purposes", which is how I initially verified the ISO signature as having a valid trust. (Do take caution to independently verify those signatures e.g. from the owner's personal website.) -- Eli Schwartz [1] https://www.archlinux.org/master-keys/