Re: signed gcc downloads

Re: signed gcc downloads

[Andrea 'Fyre Wyzard' Bocci]

[-- Attachment #1: Type: text/plain, Size: 455 bytes --]

At 12:51 18/07/2002 +1200, Zach Bagnall wrote:
>Hi there. I'd really like to see the gcc releases distributed with a
>digital signature that can be verified. If the signatures are already
>available, I'd appreciate a link to their location.
>
>All the best

Usually source distributions are MD5 signed - see the file md5.sum in each 
directory. (eg. 
ftp://ftp.mirror.ac.uk/sites/sources.redhat.com/pub/gcc/releases/gcc-3.1/md5.sum 
for GCC 3.1).

fwyzard

[-- Attachment #2: Type: application/pgp-signature, Size: 222 bytes --]

Re: signed gcc downloads

[Paul Koning]

>>>>> "Andrea" == Andrea 'Fyre Wyzard' Bocci <fwyzard@inwind.it> writes:

 Andrea> At 12:51 18/07/2002 +1200, Zach Bagnall wrote:
 >> Hi there. I'd really like to see the gcc releases distributed with
 >> a digital signature that can be verified. If the signatures are
 >> already available, I'd appreciate a link to their location.
 >> 
 >> All the best

 Andrea> Usually source distributions are MD5 signed - see the file
 Andrea> md5.sum in each directory. (eg.
 Andrea> ftp://ftp.mirror.ac.uk/sites/sources.redhat.com/pub/gcc/releases/gcc-3.1/md5.sum
 Andrea> for GCC 3.1).

Those aren't signatures, they are only checksums.  It isn't clear from
Zach's note which he's looking for -- the question depends on what
danger you want to protect against.

A simple MD5 checksum protects against data corruption in transit (TCP
checksum does the same, but not as well).  It does not protect against
tampering with the file because it's easy to post an md5.sum file
with corresponding changed checksums.

A signature (e.g., PGP signature) protects against tampering too, but
you need the signer's public key to check it, and it's more hassle to
apply since the signer has to supply his private key to do so.

      paul

Re: signed gcc downloads

[Zach Bagnall]

[-- Attachment #1: Type: text/plain, Size: 1474 bytes --]

On Fri, 2002-07-19 at 01:50, Paul Koning wrote:
> Those aren't signatures, they are only checksums.  It isn't clear from
> Zach's note which he's looking for -- the question depends on what
> danger you want to protect against.
> 
> A simple MD5 checksum protects against data corruption in transit (TCP
> checksum does the same, but not as well).  It does not protect against
> tampering with the file because it's easy to post an md5.sum file
> with corresponding changed checksums.
> 
> A signature (e.g., PGP signature) protects against tampering too, but
> you need the signer's public key to check it, and it's more hassle to
> apply since the signer has to supply his private key to do so.
> 
>       paul

Yes, it is a bit of a hassle, but I think its worth it.

http://www.gnupg.org/

For example, the linux kernel, irssi and openssl all use signed
downloads. Each file comes with a corresponding .sig file that is
generated using the signers private key.

If a distribution server is cracked and the file is altered, the
attacker will be unable to generate a valid signature for the altered
file (unlike an md5 sum). Recently irssi was backdoored by an attacker -
a digital sig would have enabled users to detect the alteration. The
irssi developer is now signing all files.

Incidentally, this email is also signed :-).

-- 
Zach Bagnall <zach.bagnall@bulletinwireless.com>

This email is digitally signed. Key ID: 0x3F9AA9A2.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 232 bytes --]

signed gcc downloads

[Zach Bagnall]

[-- Attachment #1: Type: text/plain, Size: 324 bytes --]

Hi there. I'd really like to see the gcc releases distributed with a
digital signature that can be verified. If the signatures are already
available, I'd appreciate a link to their location.

All the best


-- 
Zach Bagnall <zach.bagnall@bulletinwireless.com>

This email is digitally signed. Key ID: 0x3F9AA9A2.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 232 bytes --]