implement a way to verify the authenticity of Linux Mint.
Mint should implement a better system to verify iso like Debian and Fedora *** MD5 is obsolete and dangerous. Fedora, Debian, and Ubuntu Sign their hashes.
steps to implement
the maintainer should do this
1) gpg --gen-key
--- select option 1
--- size should be 4096
--- publish public key only. (Lock the private key up in mint's equivalent of Fort Knox)
2) sha256sum MintLinux.Iso
3) store the image name and hash in a text file name mint.txt
ex contents below
126613f11e
** example not actual sha256 hash
4)gpg --clearsign --digest-algo SHA256 --output mint-checksum.sig mint.txt
-------
publish the public key on your web site so people can use curl or something
1) curl https:/
2) gpg --verify-files mint-checksum.sig
3) sha256sum -c mint-checksum.sig
example distros: https:/
I was thinking of using mint but there was no way to truly verify the images were authentic.
Blueprint information
- Status:
- Not started
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- None
- Direction:
- Needs approval
- Assignee:
- None
- Definition:
- New
- Series goal:
- None
- Implementation:
- Unknown
- Milestone target:
- None
- Started by
- Completed by