Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Xen: Users

[XCP] Authenticty of XCP installation image.

 

 

Xen users RSS feed   Index | Next | Previous | View Threaded


mkosmita at gmail

Apr 20, 2012, 1:56 AM

Post #1 of 3 (317 views)
Permalink
[XCP] Authenticty of XCP installation image.

Hi.

How do I verify authenticity and integrity of downloaded XCP installation iso?
I cannot find any digital signature or any page serving cryptographic
hash over a secure connection. The download is also not available over
httpS...

Please help.

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users


outbackdingo at gmail

Apr 21, 2012, 4:47 PM

Post #2 of 3 (298 views)
Permalink
Re: [XCP] Authenticty of XCP installation image. [In reply to]

On Fri, Apr 20, 2012 at 4:56 AM, Michał Karaś <mkosmita [at] gmail> wrote:
> Hi.
>
> How do I verify authenticity and integrity of downloaded XCP installation iso?
> I cannot find any digital signature or any page serving cryptographic
> hash over a secure connection. The download is also not available over
> httpS...
>

Wow no too paranoid...... md5sum d80538645c4b3c8db8a3ec3e7c2546c2
53341/XCP-1.5-beta-base-53341.iso

> Please help.
>
> _______________________________________________
> Xen-users mailing list
> Xen-users [at] lists
> http://lists.xen.org/xen-users

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users


mkosmita at gmail

Apr 27, 2012, 11:29 AM

Post #3 of 3 (266 views)
Permalink
Re: [XCP] Authenticty of XCP installation image. [In reply to]

Hi.

Thank you for your answer however it is not enough...

http://en.wikipedia.org/wiki/Md5#Security

I believe md5 should not be used any more for security related
purposes. These days computing a sha256 or at least sha1 should be
used. Even sha1 was phased out by US gov in the 2010...

Also plain email or http is not a secure way of communicating hash
because it could easily be altered by malicious routers or ISP...

Solutions to this is either serving the hash over secure connection
like ssl/tls (httpS)
or signing a file cryptographically like using pgp/gnupg.


Thank you for trying to help...




On 4/21/12, Outback Dingo <outbackdingo [at] gmail> wrote:
> On Fri, Apr 20, 2012 at 4:56 AM, Michał Karaś <mkosmita [at] gmail> wrote:
>> Hi.
>>
>> How do I verify authenticity and integrity of downloaded XCP installation
>> iso?
>> I cannot find any digital signature or any page serving cryptographic
>> hash over a secure connection. The download is also not available over
>> httpS...
>>
>
> Wow no too paranoid...... md5sum d80538645c4b3c8db8a3ec3e7c2546c2
> 53341/XCP-1.5-beta-base-53341.iso
>
>> Please help.
>>
>> _______________________________________________
>> Xen-users mailing list
>> Xen-users [at] lists
>> http://lists.xen.org/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users [at] lists
http://lists.xen.org/xen-users

Xen users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.