[arch-general] Stronger Hashes for PKGBUILDs

Eli Schwartz eschwartz93 at gmail.com
Tue Dec 27 18:37:31 UTC 2016


On 12/26/2016 07:35 AM, NicoHood wrote:
>>> Yesterday I wanted to install ArchLinux on someone else computer. He
>>> used Windows until now and had no gpg handy yet (it is really annoying
>>> to install on windows).

What is wrong with, say, Gpg4win?

Okay, it is difficult to *trust* the software without any way of
securely proving it itself hasn't been backdoored. Then again, how did
*you* initially trust your Linux distribution?
But I don't see why it would be especially difficult to *install* on
Windows.

>>> So we needed to verify the source otherwise. But there was no real
>>> option as md5/sha1 is broken and his internet is too slow to download it
>>> again via torrent. We did not install Arch then and I will send him my
>>> sha512sum from my computer the next days where I did a torrent download.

I was under the impression that sha1 works just fine, and will for a
little while yet. Preimage attacks haven't been suggested to be feasible
yet, to my knowledge. Though we should still move off sha1 simply
because it is continually weakening and on its last legs (or already
broken for some functionality), I am pretty sure your friend is safe...

> ArchLinux wants to KISS, so we should simply add stronger hashes instead
> of requiring the user to download two tools. Its quite a struggle to
> find a hash tool for windows anyways.

I am not overly familiar with the checksumming landscape in
Windows-land, but I could have sworn all the common tools I found back
in "the day" were capable of verifying a range of hash functions, much
like coreutils as a set is capable of verifying a range of hash
functions. Why do you need two tools?

> Also the website should state from which person the signature is and
> which fingerprint it uses. I still could not find this information
> (otherwise I'd contact this person).

Usually gpg tells you this automagically. :p
Anyway, the key already has full trust from pacman-key, if you are
verifying from an Arch system... also, the frontpage has a link[1] to
the canonical master keys "for all Arch Linux purposes", which is how I
initially verified the ISO signature as having a valid trust.
(Do take caution to independently verify those signatures e.g. from the
owner's personal website.)

-- 
Eli Schwartz

[1] https://www.archlinux.org/master-keys/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20161227/b9b90f0c/attachment.asc>


More information about the arch-general mailing list