1. Home
  2. Categories
  3. Support
  4. Checksum of Debian2 feed signing key available?

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Checksum of Debian2 feed signing key available?

  • S

    Hi,

    I think it is best practice to verify the fingerprint of a signing key before accepting it. I do not think it is super important in my case as I am in control of ProGet and the Ubuntu clients that are to use the ProGet instance for apt update, apt ungradeetc. as well as the network connecting these entities.

    But I wanted to ask anyway: can the fingerprint be obtained? How (I'm sorry if it is obvious)? (I guess I could do one download and trust that one, and then calculate the fingerprint myself, but asking if it is directly available)

    Br,
    Stefan

    0 stevedennis 1 Reply
    Log in to reply
     
  • stevedennis
    inedo-engineer

    Hi @stefan-hakansson_8938,

    There's no point in verifying a fingerprint (i.e. hash) for content from a trusted HTTPS source. In the olden days (before "SSL Everywhere" with unreliable downloads and questionable mirrors), it was an important way to validate integrity... but there's no sense to it today.

    If one were to "compromise" a trusted HTTPS source and tamper with content (signing keys, packages, etc), then they could just as easily tamper with hashes provided by the source. So you can simply just accept whatever key ProGet provides you -- no need to "think twice" about it.

    Hashes can help with troubleshooting corrupted files... but with network speeds so fast, you can just redownload it when file sizes don't match.

    Hope that helps,
    Steve

    0 S 1 Reply
  • S

    Hi @stevedennis, thank you.

    I contemplated the idea store the fingerprint in another location (and doing so at a point in time when I'm convinced things are not compromised), and then, when a new host is to subscribe to the ProGet feed, compare the calculated fingerprint of the ProGet provided key with the one obtained from the other store. If they do not match I know one of them have been tampered with.

    But maybe I'm going overboard, and I still can do it by downloading the key to the second location and calculating the fingerprint there if I really want to, so things are fine.

    Thank you again,
    Stefan

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation