man in the mirror attack?

Message

icamts · Post by **icamts** » Thu Apr 14, 2005 6:58 am

The title is a joke.
But that's what's going on my box

root@aria gentoo32_x86 # md5sum -c install-x86-universal-2005.0.iso.md5
install-x86-universal-2005.0.iso: OK
root@aria gentoo32_x86 # gpg --verify install-x86-universal-2005.0.iso.asc install-x86-universal-2005.0.iso
gpg: Signature made Fri Mar 18 23:10:20 2005 CET using DSA key ID 17072058
gpg: BAD signature from "Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@gentoo.org>"
root@aria gentoo32_x86 #

Am I missing something or doing something wrong?
Should I trust only md5 sum?
Maybe it's not enough for an iso (700MB) sized file to be for sure what releng team uploaded.

icamts

GNUtritious · Post by **GNUtritious** » Fri Apr 15, 2005 11:17 pm

icamts wrote:Am I missing something or doing something wrong?

The 2005.0 signature appears to be broken, though the signature for 2004.3-r1 was fine.

icamts wrote:Should I trust only md5 sum?

Depending on whether you want to consider collisions in MD5, it should at least tell you (with some confidence) that there were no modifications since the file was posted. The integrity (and authenticity) of the file is dependent on your trust with the mirror, since you cannot verify the identity of the creator.

icamts · Post by **icamts** » Mon Apr 18, 2005 8:33 am

Well, I'm going to install it.
Thank you.

icamts

man in the mirror attack?

man in the mirror attack?

Re: man in the mirror attack?