Secure download

Hello, how could I check sha256sum of iso file and is this iso file signed?
39 Replies
Asterisk
Asterisk4w ago
no signature the gitlab uploads cannot be tampered with it's rather difficult all mirrors pull from there it's a CI system we'd see any modifications
Solution
Asterisk
Asterisk4w ago
click the dropdown arrow and download metadata.gz open the metadata file in notepad we were working on checksums but I don't think we have any for the current build
Marek7639
Marek76394w ago
Ow I understand You can sign it later Thank you very much
Valkyrja
Valkyrja4w ago
ム丂イ乇尺ノ丂ズ received a thank you Jao!
Asterisk
Asterisk4w ago
not that I've ever seen anyone check that checksums are more important and easier to verify the gitlab account mechanism is good protection from an unauthorized upload I can just edit the CI procedure to checksum the file and save it to an artifact
Marek7639
Marek76394w ago
I will check check sum from all servers which are on HTTPS.
Asterisk
Asterisk4w ago
omly do the ones with a listed version though the system doesn't account for rebuilds on the same version so there may be discrepancies the cronjobs take a little bit to run the sync scripts
Marek7639
Marek76394w ago
Yes and no, checksum say that file is the same, but signed file say that this file is from you
Asterisk
Asterisk4w ago
the fact that nobody else can access the repo also says that
Marek7639
Marek76394w ago
This two things is very important
Asterisk
Asterisk4w ago
the only potential there is on another mirror if it was hacked or something or on the gitlab itself but that would be trickier not that we have a master key or any kind of signing infra rn 🙃 the web of trust thing is kinda complicated but I'll look linto it
Marek7639
Marek76394w ago
Do you hear about attack man in the middle?
Asterisk
Asterisk4w ago
who would MITM an average joe doin a download you'd have to inject something mid-build or mid-download which there are systems in place like SSL and DNSSEC for this idk if Rudra actually enabled DNSSEC tho the risk is rather low at the moment we're not a mission-critical server distro or Qubes OS we have time to figure something out @Rudra
Marek7639
Marek76394w ago
Ok, thank you for help Well we have discrepancies
Marek7639
Marek76394w ago
No description
Marek7639
Marek76394w ago
First file is from Master Build Server Next two are from USA and Germany
Asterisk
Asterisk4w ago
considering those 2 are both the same we'll chalk it up to an update missed there's a mirror name column for a reason @otus 🐝
Marek7639
Marek76394w ago
Well, version look like they are the same
Marek7639
Marek76394w ago
No description
Asterisk
Asterisk4w ago
exactly, but we can trigger a rebuild without committing meaning the commit hash stays the same we could shift the update system to checksums on the backend (and still display commit shas) have you ever used github actions or gitlab CI before?
Marek7639
Marek76394w ago
Yes Ok, you have right
Valkyrja
Valkyrja4w ago
@Marek7639, you've gained the level 1
Asterisk
Asterisk4w ago
apparently Rudra must have both mirrors have the same bad checksum I think he's the only one who can
Marek7639
Marek76394w ago
By the way can I use simply Kali Linux on your container manager? Can I help you some how with your distribution?
Asterisk
Asterisk4w ago
it's not in the list so no we're working on some way around this in the future 🤫 i.e. integration with any podman container you can grab off docker hub, ghcr.io, quay, etc what do you specialize in cool
otus 🐝
otus 🐝4w ago
what happened
Asterisk
Asterisk4w ago
you have to manually update
otus 🐝
otus 🐝4w ago
update what
Asterisk
Asterisk4w ago
the ISO
otus 🐝
otus 🐝4w ago
how why where when what
Asterisk
Asterisk4w ago
scroll up . you're one of these
otus 🐝
otus 🐝4w ago
ok wait what happened
Asterisk
Asterisk4w ago
checksum discrepancy first one is the gitlab then bottom 2 are you and Sahilister
otus 🐝
otus 🐝4w ago
so are you sure its not gitlab doing some tagging
Asterisk
Asterisk4w ago
pretty sure the tagging is in a seperate file metadata.gz
otus 🐝
otus 🐝4w ago
then idk how thats happening
Asterisk
Asterisk4w ago
we can do rebuilds without committing I think that's what's happening meaning the version file stays the same it's gitlab CI have you never used it
otus 🐝
otus 🐝4w ago
not really i dont have much experience regarding CIs