Secure download
Hello, how could I check sha256sum of iso file and is this iso file signed?
Solution:Jump to solution
you might find what you're looking for here: https://git.blendos.co/blendOS/image-builder/-/artifacts
39 Replies
no signature
the gitlab uploads cannot be tampered with
it's rather difficult
all mirrors pull from there
it's a CI system
we'd see any modifications
Solution
you might find what you're looking for here: https://git.blendos.co/blendOS/image-builder/-/artifacts
click the dropdown arrow and download metadata.gz
open the
metadata file in notepad
we were working on checksums but I don't think we have any for the current buildOw I understand
You can sign it later
Thank you very much
ム丂イ乇尺ノ丂ズ received a thank you Jao!
not that I've ever seen anyone check that
checksums are more important
and easier to verify
the gitlab account mechanism is good protection from an unauthorized upload
I can just edit the CI procedure to checksum the file and save it to an artifact
I will check check sum from all servers which are on HTTPS.
omly do the ones with a listed version
though the system doesn't account for rebuilds on the same version
so there may be discrepancies
the cronjobs take a little bit to run the sync scripts
Yes and no, checksum say that file is the same, but signed file say that this file is from you
the fact that nobody else can access the repo also says that
This two things is very important
the only potential there is on another mirror
if it was hacked or something
or on the gitlab itself but that would be trickier
not that we have a master key or any kind of signing infra rn 🙃
the web of trust thing is kinda complicated but I'll look linto it
Do you hear about attack man in the middle?
who would MITM an average joe doin a download
you'd have to inject something mid-build or mid-download
which there are systems in place like SSL and DNSSEC for this
idk if Rudra actually enabled DNSSEC tho
the risk is rather low at the moment
we're not a mission-critical server distro
or Qubes OS
we have time to figure something out
@Rudra
Ok, thank you for help
Well we have discrepancies
First file is from Master Build Server
Next two are from USA and Germany
considering those 2 are both the same we'll chalk it up to an update missed
there's a mirror name column for a reason
@otus 🐝
Well, version look like they are the same
exactly, but we can trigger a rebuild without committing
meaning the commit hash stays the same
we could shift the update system to checksums on the backend (and still display commit shas)
have you ever used github actions or gitlab CI before?
Yes
Ok, you have right
@Marek7639, you've gained the level
1apparently Rudra must have
both mirrors have the same bad checksum
I think he's the only one who can
By the way can I use simply Kali Linux on your container manager?
Can I help you some how with your distribution?
it's not in the list
so no
we're working on some way around this in the future
🤫
i.e. integration with any podman container you can grab off docker hub, ghcr.io, quay, etc
what do you specialize in
cool
what happened
you have to manually update
update what
the ISO
how
why
where
when
what
scroll up
.
you're one of these
ok wait what happened
checksum discrepancy
first one is the gitlab
then bottom 2 are you and Sahilister
so are you sure its not gitlab doing some tagging
pretty sure
the tagging is in a seperate file
metadata.gz
then idk how thats happening
we can do rebuilds without committing
I think that's what's happening
meaning the version file stays the same
it's gitlab CI have you never used it
not really
i dont have much experience regarding CIs