You are not logged in.
- Topics: Active | Unanswered
#1 2015-12-20 10:15:34
- Lord Bo
- Member
- Registered: 2012-11-11
- Posts: 168
[SOLVED] Checking Authenticity of Arch Installation Medium
I recently downloaded the archlinux-2015.12.01-dual.iso.sig and noticed, that the link from the download page to the signature is broken. So the most obvious way to get that signature is to download it from a mirror. However this spoils the procedure a bit, since the key is meant to check that the mirror does not provide a manipulated image. So one must verify, that the key is not manipulated, but the correct method to do this is never explained in Getting and installing Arch (easiest an maybe not the most proper way is to look up the keys Fingerprint on the developers-page. I don't know, who to address with this, so I opened this post.
Last edited by Lord Bo (2015-12-21 16:06:52)
Offline
#2 2015-12-20 10:19:07
- graysky
- Wiki Maintainer
- From: :wq
- Registered: 2008-12-01
- Posts: 10,696
- Website
Re: [SOLVED] Checking Authenticity of Arch Installation Medium
The sig (archlinux-2015.12.01-dual.iso.sig) is the same the world over. Download it from any mirror and the iso from any other mirror. At the end, if `pacman-key -v archlinux-2015.12.01-dual.iso.sig` doesn't check out, delete the iso and try again.
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
#3 2015-12-20 10:26:43
- Lord Bo
- Member
- Registered: 2012-11-11
- Posts: 168
Re: [SOLVED] Checking Authenticity of Arch Installation Medium
Yes, I understand, what to do. However the way it is explained, a user with no background about the idea of authenticication via the public key method is easily decieved to download a manipulated image from a mirror, if this mirror provides a manipulated signature, too, since the Wiki does not explain the problem, that a signature has to be verified itself (e.g. by a signature of its own). So at least the signature on the main download page should be existing.
edit: And I would't do it the way You suggested. Even if the signature and the iso are from two (seemingly) separate mirrors, if there was someone using intentional manipulation, he could take that into account and provide several mirrors. The best way is always to check the signature (which opens again to enougth problems, however I don't mean to dive deeper into that).
Last edited by Lord Bo (2015-12-20 10:36:53)
Offline
#4 2015-12-20 14:32:41
- tom.ty89
- Member
- Registered: 2012-11-15
- Posts: 897
Re: [SOLVED] Checking Authenticity of Arch Installation Medium
I filed a bug report here: https://bugs.archlinux.org/task/47455
Offline
#5 2015-12-20 15:54:10
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 12,418
Re: [SOLVED] Checking Authenticity of Arch Installation Medium
Yes the download should be fixed.
For your other complaint, it's a wiki. Fix it.
Offline
#6 2015-12-20 17:05:40
- Lord Bo
- Member
- Registered: 2012-11-11
- Posts: 168
Re: [SOLVED] Checking Authenticity of Arch Installation Medium
@tom.ty89: Yeah, thank You, I didn't think about filing a bug for that.
@Scimia: Never complained, but You are right, I should see, what I can do about the wiki.
edit: Updateted the wiki entry.
Last edited by Lord Bo (2015-12-20 17:33:16)
Offline