[arch-devops] Arch Linux ISO Checksums on archlinux.org

Johannes Löthberg johannes at kyriasis.com
Wed Feb 24 02:35:19 UTC 2016

On 23/02, Christian Rebischke wrote:
>On Mon, Feb 22, 2016 at 04:55:17PM +0100, Levente Polyak wrote:
>> On February 22, 2016 4:22:40 PM GMT+01:00, Christian Rebischke <Chris.Rebischke at archlinux.org> wrote:
>> >Maybe we should also sign the ISO with a GPG-Key.
>> >
>> >I don't mean that we should remove the MD5 checksum but we should add
>> >some
>> >other checksum and sign the ISO.
>> >
>> The ISO is actually signed, above the mentioned checksums [0] you can find the signature file [1].
>> Cheers,
>> Levente
>> [0] https://www.archlinux.org/download/
>> [1] https://www.archlinux.org/iso/2016.02.01/archlinux-2016.02.01-dual.iso.sig
>Sorry guys, there I was too fast and inattentive.
>But, however, what do you think about adding a stronger checksum to it?
>I know that a GPG-signatures + MD5 or SHA1 would be enough but I know enough
>people who just check the checksum and don't care about signatures.

The checksums aren't for security, and anyone who replaced the tarball 
could most likely change the checksum as well.

  Johannes Löthberg
  PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1768 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20160224/73556ce2/attachment.asc>

More information about the arch-devops mailing list