Singapore Government Hackers Love to Hack Teo En Ming's Computers, Smartphones, and Internet Online Accounts
silver.bullet at zoho.com
silver.bullet at zoho.com
Sun Aug 9 09:43:23 UTC 2015
On Sun, 09 Aug 2015 11:22:37 +0200, Oliver Grawert wrote:
>* do not use third party repositories like PPAs (unless you can and
>want to inspect the source code in there before using the binaries)
This depends to the trustworthiness. You might trust the Ubuntu
maintainers and you might trust a PPA maintainer. Assumed you trust
those people, than you still need trusted keys.
I already posted it two times:
https://help.ubuntu.com/community/VerifyIsoHowto
"$ gpg --verify MD5SUMS.gpg MD5SUMS
gpg: Signature made 2014-07-25T01:53:21 CEST using DSA key ID FBB75451
gpg: Good signature from "Ubuntu CD Image Automatic Signing Key
<cdimage at ubuntu.com>" gpg: WARNING: This key is not certified with a
trusted signature! gpg: There is no indication that the
signature belongs to the owner. Primary key fingerprint: C598 6B4F
1257 FFA8 6632 CBA7 4618 1433 FBB7 5451
In this example a "Good signature" validates the integrity of the
given file. The warning message indicates your current GnuPG trust
database does not have trust information for that signing key, unless
you have actually verified and signed one of the public keys
belonging to signers of the Ubuntu CD Image signing key."
Resume:
If you already downloaded the ISO by a button to download the ISO only,
without downloading the signed checksum and the public key and without
having a trusted source to ensure that the owner of the key is really
the person you trust, all your hints are null and void.
Btw. a few PPA maintainers for my taste seem to be more trustworthy
than the owner of Canonical. And again, this is just my taste, who ever
we trust, we still need to ensure that we have the correct public keys.
More information about the ubuntu-users
mailing list