On Mon, Oct 21, 2024, at 11:52, T N wrote:
hi,
Hi, fellow GRML fan here.
i get big warnings here trying to download grml:
(something like "dont download this file: possible security risk" )
cause its provided without encryption.
Could you please provide https links (at least for the signature file if it is impossible for the iso)
I believe the default download links to a geoip mirror selection service (download.grml.org) which redirects to a HTTP mirror. I believe some mirrors automatically redirect HTTP to HTTPS. Some browsers may also forcefully upgrade HTTP to HTTPS.
It is a bit odd that the geoip mirror selection service does not itself redirect to HTTPS mirrors when possible. (Check with
curl -sSIL https://download.grml.org/grml96-full_2024.02.iso | awk '/^Location:/ { print $2; }'
.) Opportunity for improvement perhaps ;)?
If you need a HTTPS mirror feel free to click on "Download from a specific mirror".
i tried to verify stuff but i am not sure if i did it in anyway right and am more confused then before
GPG can be a bit confusing and can empathize with deferring to HTTPS's link authenticity guarantees instead.
Unfortunately your trust in HTTPS might be misplaced: HTTPS offers authenticity on the link between your computer and the mirror. What if the mirror's files were tampered with? Mitigating risk of mirror tampering is beyond HTTPS's scope. This is where GPG signatures shine.
I think many users eschew the verification step. It's a risk assessment that only you can decide on. Maybe it's sufficient to trust a HTTPS server with a good certificate, however, this trust really doesn't amount to anything beyond the webmaster has set up HTTPS correctly.
owner@PC-G2H367S:~/Owner.win/Downloads$ gpg grml64-full_2024.02.iso.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: assuming signed data in 'grml64-full_2024.02.iso' gpg: Signature made Tue 27 Feb 2024 12:03:13 PM CET gpg: using RSA key 33CCB136401AFEC843A3876396A87872B7EA3737 gpg: Good signature from "Michael Prokop mail@michael-prokop.at" [unknown] gpg: aka "Michael Prokop michael.prokop@synpro.solutions" [unknown] gpg: aka "Michael Prokop mika@debian.org" [unknown] gpg: aka "Michael Prokop mika@grml.org" [unknown] gpg: aka "Michael Prokop prokop@grml-solutions.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33CC B136 401A FEC8 43A3 8763 96A8 7872 B7EA 3737
Yup verified fine and that key fingerprint matches the one listed on the download page. You might consider marking that key as trusted after your own cross-referencing of the download page's listed fingerprint. https://www.gnupg.org/gph/en/manual/x334.html This trust will suppress "WARNING: This key is not certified with a trusted signature!"
Hope that helps, Winston https://winny.tech/