B
blendOSβ€’7mo ago
Marek7639

Secure download

Hello, how could I check sha256sum of iso file and is this iso file signed?
39 Replies
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
no signature the gitlab uploads cannot be tampered with it's rather difficult all mirrors pull from there it's a CI system we'd see any modifications
Solution
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
click the dropdown arrow and download metadata.gz open the metadata file in notepad we were working on checksums but I don't think we have any for the current build
Marek7639
Marek7639OPβ€’7mo ago
Ow I understand You can sign it later Thank you very much
Valkyrja
Valkyrjaβ€’7mo ago
οΎ‘δΈ‚ο½²δΉ‡ε°ΊοΎ‰δΈ‚γ‚Ί received a thank you Jao!
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
not that I've ever seen anyone check that checksums are more important and easier to verify the gitlab account mechanism is good protection from an unauthorized upload I can just edit the CI procedure to checksum the file and save it to an artifact
Marek7639
Marek7639OPβ€’7mo ago
I will check check sum from all servers which are on HTTPS.
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
omly do the ones with a listed version though the system doesn't account for rebuilds on the same version so there may be discrepancies the cronjobs take a little bit to run the sync scripts
Marek7639
Marek7639OPβ€’7mo ago
Yes and no, checksum say that file is the same, but signed file say that this file is from you
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
the fact that nobody else can access the repo also says that
Marek7639
Marek7639OPβ€’7mo ago
This two things is very important
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
the only potential there is on another mirror if it was hacked or something or on the gitlab itself but that would be trickier not that we have a master key or any kind of signing infra rn πŸ™ƒ the web of trust thing is kinda complicated but I'll look linto it
Marek7639
Marek7639OPβ€’7mo ago
Do you hear about attack man in the middle?
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
who would MITM an average joe doin a download you'd have to inject something mid-build or mid-download which there are systems in place like SSL and DNSSEC for this idk if Rudra actually enabled DNSSEC tho the risk is rather low at the moment we're not a mission-critical server distro or Qubes OS we have time to figure something out @Rudra
Marek7639
Marek7639OPβ€’7mo ago
Ok, thank you for help Well we have discrepancies
Marek7639
Marek7639OPβ€’7mo ago
No description
Marek7639
Marek7639OPβ€’7mo ago
First file is from Master Build Server Next two are from USA and Germany
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
considering those 2 are both the same we'll chalk it up to an update missed there's a mirror name column for a reason @otus 🐝
Marek7639
Marek7639OPβ€’7mo ago
Well, version look like they are the same
Marek7639
Marek7639OPβ€’7mo ago
No description
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
exactly, but we can trigger a rebuild without committing meaning the commit hash stays the same we could shift the update system to checksums on the backend (and still display commit shas) have you ever used github actions or gitlab CI before?
Marek7639
Marek7639OPβ€’7mo ago
Yes Ok, you have right
Valkyrja
Valkyrjaβ€’7mo ago
@Marek7639, you've gained the level 1
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
apparently Rudra must have both mirrors have the same bad checksum I think he's the only one who can
Marek7639
Marek7639OPβ€’7mo ago
By the way can I use simply Kali Linux on your container manager? Can I help you some how with your distribution?
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
it's not in the list so no we're working on some way around this in the future 🀫 i.e. integration with any podman container you can grab off docker hub, ghcr.io, quay, etc what do you specialize in cool
otus 🐝
otus πŸβ€’7mo ago
what happened
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
you have to manually update
otus 🐝
otus πŸβ€’7mo ago
update what
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
the ISO
otus 🐝
otus πŸβ€’7mo ago
how why where when what
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
scroll up . you're one of these
otus 🐝
otus πŸβ€’7mo ago
ok wait what happened
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
checksum discrepancy first one is the gitlab then bottom 2 are you and Sahilister
otus 🐝
otus πŸβ€’7mo ago
so are you sure its not gitlab doing some tagging
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
pretty sure the tagging is in a seperate file metadata.gz
otus 🐝
otus πŸβ€’7mo ago
then idk how thats happening
πŸŽ„ Asterisk
πŸŽ„ Asteriskβ€’7mo ago
we can do rebuilds without committing I think that's what's happening meaning the version file stays the same it's gitlab CI have you never used it
otus 🐝
otus πŸβ€’7mo ago
not really i dont have much experience regarding CIs
Want results from more Discord servers?
Add your server