please provide https download at least for the signature
hi,
i get big warnings here trying to download grml:
[cid:b45268ec-1a7a-45db-8b2d-77d2b3c7bbe2] (something like "dont download this file: possible security risk" )
cause its provided without encryption.
Could you please provide https links (at least for the signature file if it is impossible for the iso)
thanks in advance
i tried to verify stuff but i am not sure if i did it in anyway right and am more confused then before
$ gpg grml64-full_2024.02.iso.asc gpg: directory '/home/owner/.gnupg' created gpg: keybox '/home/owner/.gnupg/pubring.kbx' created gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: assuming signed data in 'grml64-full_2024.02.iso'
gpg: Signature made Tue 27 Feb 2024 12:03:13 PM CET gpg: using RSA key 33CCB136401AFEC843A3876396A87872B7EA3737 gpg: Can't check signature: No public key owner@PC-G2H367S:~/Owner.win/Downloads$ gpg --keyid-format long --keyserver hkps://keys.openpgp.org --recv-keys 0x96A87872B7EA3737 gpg: /home/owner/.gnupg/trustdb.gpg: trustdb created gpg: key 96A87872B7EA3737: public key "Michael Prokop mail@michael-prokop.at" imported gpg: Total number processed: 1 gpg: imported: 1 owner@PC-G2H367S:~/Owner.win/Downloads$ sudo apt install gpg Reading package lists... Done Building dependency tree... Done Reading state information... Done gpg is already the newest version (2.2.40-1.1). 0 upgraded, 0 newly installed, 0 to remove and 16 not upgraded. owner@PC-G2H367S:~/Owner.win/Downloads$ gpg grml64-full_2024.02.iso.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: assuming signed data in 'grml64-full_2024.02.iso' gpg: Signature made Tue 27 Feb 2024 12:03:13 PM CET gpg: using RSA key 33CCB136401AFEC843A3876396A87872B7EA3737 gpg: Good signature from "Michael Prokop mail@michael-prokop.at" [unknown] gpg: aka "Michael Prokop michael.prokop@synpro.solutions" [unknown] gpg: aka "Michael Prokop mika@debian.org" [unknown] gpg: aka "Michael Prokop mika@grml.org" [unknown] gpg: aka "Michael Prokop prokop@grml-solutions.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33CC B136 401A FEC8 43A3 8763 96A8 7872 B7EA 3737 owner@PC-G2H367S:~/Owner.win/Downloads$
regards
TN
PS: also you just could show the sha256sum of the iso on the download page which is provided using https to give an easier way to check this using common gui tools...
TN
On Mon, Oct 21, 2024, at 11:52, T N wrote:
hi,
Hi, fellow GRML fan here.
i get big warnings here trying to download grml:
(something like "dont download this file: possible security risk" )
cause its provided without encryption.
Could you please provide https links (at least for the signature file if it is impossible for the iso)
I believe the default download links to a geoip mirror selection service (download.grml.org) which redirects to a HTTP mirror. I believe some mirrors automatically redirect HTTP to HTTPS. Some browsers may also forcefully upgrade HTTP to HTTPS.
It is a bit odd that the geoip mirror selection service does not itself redirect to HTTPS mirrors when possible. (Check with
curl -sSIL https://download.grml.org/grml96-full_2024.02.iso | awk '/^Location:/ { print $2; }'
.) Opportunity for improvement perhaps ;)?
If you need a HTTPS mirror feel free to click on "Download from a specific mirror".
i tried to verify stuff but i am not sure if i did it in anyway right and am more confused then before
GPG can be a bit confusing and can empathize with deferring to HTTPS's link authenticity guarantees instead.
Unfortunately your trust in HTTPS might be misplaced: HTTPS offers authenticity on the link between your computer and the mirror. What if the mirror's files were tampered with? Mitigating risk of mirror tampering is beyond HTTPS's scope. This is where GPG signatures shine.
I think many users eschew the verification step. It's a risk assessment that only you can decide on. Maybe it's sufficient to trust a HTTPS server with a good certificate, however, this trust really doesn't amount to anything beyond the webmaster has set up HTTPS correctly.
owner@PC-G2H367S:~/Owner.win/Downloads$ gpg grml64-full_2024.02.iso.asc gpg: WARNING: no command supplied. Trying to guess what you mean ... gpg: assuming signed data in 'grml64-full_2024.02.iso' gpg: Signature made Tue 27 Feb 2024 12:03:13 PM CET gpg: using RSA key 33CCB136401AFEC843A3876396A87872B7EA3737 gpg: Good signature from "Michael Prokop mail@michael-prokop.at" [unknown] gpg: aka "Michael Prokop michael.prokop@synpro.solutions" [unknown] gpg: aka "Michael Prokop mika@debian.org" [unknown] gpg: aka "Michael Prokop mika@grml.org" [unknown] gpg: aka "Michael Prokop prokop@grml-solutions.com" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 33CC B136 401A FEC8 43A3 8763 96A8 7872 B7EA 3737
Yup verified fine and that key fingerprint matches the one listed on the download page. You might consider marking that key as trusted after your own cross-referencing of the download page's listed fingerprint. https://www.gnupg.org/gph/en/manual/x334.html This trust will suppress "WARNING: This key is not certified with a trusted signature!"
Hope that helps, Winston https://winny.tech/
Teilnehmer (2)
-
T N -
Winston Weinert