Re: Proposal to augment CD/faq/#verify, version 2

To: debian-cd@lists.debian.org
Subject: Re: Proposal to augment CD/faq/#verify, version 2
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Mon, 09 Sep 2024 20:22:36 +0200
Message-id: <[🔎] 21362309991376147109@scdbackup.webframe.org>
In-reply-to: <[🔎] 47030274-bab2-4141-8a74-9e9ecdb508e0@gmail.com>
References: <[🔎] 47030274-bab2-4141-8a74-9e9ecdb508e0@gmail.com>

Hi,

i wrote:
> > - The text points to the authenticity verification page
> >     https://www.debian.org/CD/verify
> >   which gives no tangible example how to verify *SUMS files by *SUMS.sign.

Max Nikulin wrote:
> I do not mind that there is a page which purpose is solely to specify key
> IDs and fingerprints since it is most sensitive info. What I do not like
> are descriptions of links to this page:
> - "verification guide"
>  <https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
> - "Detailed information on how to authenticate the signed checksum [...]
>   <https://www.debian.org/CD/faq/#verify

That's why i propose to show a full example with  gpg  in the FAQ rather
than pointing to the key-and-fingerprint page, which stays neutral towards
the tools to use.
If gpg is really out of reach, then at least the reader of the FAQ has
something tangible to search in the web for an equivalent procedure with
the tool of choice.

i wrote:
> > $ gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D 6294BE9B 09EA8AC3

> Despite I do not expect keys having collisions for 32 bit identifiers
> uploaded to keyring.debian.org, I think, it is better to use 64 bit
> identifiers here

I understand from the web that in case of identical short key ids all
matching keys are received from the server.
This is not an additional security problem in the proposed instructions
because they prescribe to compare the fingerprint, not the subset of the
fingerprint which is the key id.

> I am unsure if there are drawback of the following recipe. Debian users may
> try:
> sudo apt install debian-keyring

Wouldn't that import all keys ?
If so, then if the short ids impose any problem, downloading all keys
would be even more of a problem.

> Nowadays SUMS files may be obtained using https: protocol from
> cdimage.debian.org even if image file is downloaded from a local mirror. It
> is secure enough.

It is not. Most obviously because if you do not trust the download of
the ISO image, then you cannot trust the SUMS files from the same
directory and via the same internet connection.
On the other hand, if you would trust download directory and connection,
then MD5 would be fully sufficient to detect non-malicious transport
damage. But Debian decomissioned MD5SUMS for a reason.

Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Re: Proposal to augment CD/faq/#verify, version 2
  - From: Max Nikulin <manikulin@gmail.com>

References:
- Re: Proposal to augment CD/faq/#verify, version 2
  - From: Max Nikulin <manikulin@gmail.com>

Prev by Date: Re: Proposal to augment CD/faq/#verify, version 2
Next by Date: Re: Proposal to augment CD/faq/#verify, version 2
Previous by thread: Re: Proposal to augment CD/faq/#verify, version 2
Next by thread: Re: Proposal to augment CD/faq/#verify, version 2
Index(es):
- Date
- Thread