| Proyecto: | Trisquel |
| Versión: | 6.0 |
| Componente: | Installer |
| Categoría: | informe de fallo |
| Prioridad: | critical |
| Asignado: | No asignado |
| Estado: | closed |
Authentic Triquel installation ISO-images can currently only be verified with an MD5 hash that is published on a server with an unsecure connection ( http://cdimage.trisquel.info/trisquel-images/md5sum.txt ).
This is a critical security problem. Images could be modified by an attacker with the current practice.
MD5 is regarded as obsolete and unsecure. It has been proven broken since 2004. Please see http://th.informatik.uni-mannheim.de/people/lucks/HashCollisions/ for more information and links to documentation of the exploits.
Trisquel should adopt cryptographically secure signing practices to assure the integrity and authenticity of published installation media.
I suggest that all images is to be signed with GPG.
Images are signed now. Info about how to check gpg signatures is avaliable here
Automatically closed -- issue fixed for 2 weeks with no activity.