If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.
Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).
That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)
My bad for causing confusion: when I wrote “trusted signature” I should have said “trusted public key”.
The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).
For the software you install from your distro’s “official” repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that’s beyond the point here).
When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it’s something like curl <some-url> | sudo apt-key add -?). So, this key must be pre-shared (you usually get it from the dev’s website) and trusted.
@gomp Yes but the point is that it comes from a different place and a different time, so for you to execute a compromised program, it would have to be compromised for a prolonged time without anyone else noticing. You are protected by the crowd. In curl|sh you are not protected from this at all
Installing a .deb is what I was thinking about.
If you have a pre-shared trusted signature to check against (like with your distro’s repos), yes. But… that’s obviously not the case since we are talking installing software from the developer’s website.
Whatever cryptografic signature you can get from the same potentially compromised website you get the software from would be worth as much as the usual md5/sha checksums (ie. it would only check against transmission errors).
@gomp Why would you be taking the signature from the same website? Ever heard of PGP key servers?
That would be “a pre-shared trusted signature to check against”, and is seldom available (in the real world where people live - yes, there are imaginary/ideal worlds where PGP is widespread and widely used) :)
@gomp You mean, as seldom available as every
apt install
ever? https://superuser.com/a/990153My bad for causing confusion: when I wrote “trusted signature” I should have said “trusted public key”.
The signatures in an apt repo need to be verified with some public key (you can think of signatures as hashes encrypted with some private key).
For the software you install from your distro’s “official” repo, that key came with the .iso back when you installed your system with (it may have been updated afterwards, but that’s beyond the point here).
When you install from third-party repos, you have to manually trust the key (IIRC in Ubuntu it’s something like
curl <some-url> | sudo apt-key add -
?). So, this key must be pre-shared (you usually get it from the dev’s website) and trusted.@gomp Yes but the point is that it comes from a different place and a different time, so for you to execute a compromised program, it would have to be compromised for a prolonged time without anyone else noticing. You are protected by the crowd. In curl|sh you are not protected from this at all