Linux Mint

implement a way to verify the authenticity of Linux Mint.

Registered by Brandon

Mint should implement a better system to verify iso like Debian and Fedora *** MD5 is obsolete and dangerous. Fedora, Debian, and Ubuntu Sign their hashes.

steps to implement

the maintainer should do this

1) gpg --gen-key
     --- select option 1
     --- size should be 4096
     --- publish public key only. (Lock the private key up in mint's equivalent of Fort Knox)

2) sha256sum MintLinux.Iso

3) store the image name and hash in a text file name mint.txt
      ex contents below

     126613f11e7a2349ad7d2ecce43d0fb547c4d28cbf76709bdf81150c976aa34a mintlinux.iso
      ** example not actual sha256 hash

4)gpg --clearsign --digest-algo SHA256 --output mint-checksum.sig mint.txt

----------------------------------for people to verify------------------------------------------------------------------------

publish the public key on your web site so people can use curl or something

1) curl https://www.mint.com/public_key/mint.gpg | gpg --import *example URL
2) gpg --verify-files mint-checksum.sig
3) sha256sum -c mint-checksum.sig

example distros: https://fedoraproject.org/en/verify AND http://www.debian.org/CD/verify

I was thinking of using mint but there was no way to truly verify the images were authentic.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.
Edit subscription

Subscribers

No subscribers.