Thread: general question re: .asc and .md5
View Single Post

   
  #4 (permalink)  
Old 02-19-2008, 03:57 PM
+Alan Hicks+
 
Posts: n/a
Default Re: general question re: .asc and .md5
NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

Hicks, Alan
188 Shady Dale Dr
Lizella, GA 31052
478-935-8132

+Alan Hicks+ <alan@lizella.network> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In alt.os.linux.slackware, R.Spinks dared to utter,
>> First -- I'm BRAND new. I have 0 Linux experience and am just trying to set
>> up my first install. What are .asc and .md5 files. Do I need those in
>> addition to the .iso or can I just burn the .iso and install?
>
> So it's your first day here? I recommend reading the FAQ (it's posted
> here daily) the Good Book (www.slackware.com/book) and the Good Book 2
> (slackbook.lizella.net).
>
> Now onto your question.
>
> You most often see .asc and .md5 files on slackware packages. Something
> like package_name-version-i486-0.tgz.asc. An asc file is a plain ASCII
> file that includes a digital signature. The theory here is a little
> complex so hold on if you will.
>
> Digital dignatures work like this. I create an RSA key pair. This key
> pair is used to encrypy/decrypt messages as well as sign/verify
> messages. One key is a public key to be distributed to the world and
> one is a secret/private key to be known only by me. Something encrypted
> with the public key can only be decrypted with the private key, and
> vice-versa.
>
> So, if I want to send you an encrypted e-mail message, I find your
> public key and encrypt the message with it, knowing that only you have
> your secret key and thus only you can decrypt it.
>
> Now, if I want you to know that this message (or package as the case
> may be) came from me instead of some one else, I use my private key to
> make a hash of the message. Then anyone with my public key can verify
> that I am the one who sent that message.
>
> .asc files let you verify that the package was actually made by
> Slackware. If an ftp server is compromised a cracker could upload his
> own package that contains a root kit or something similar that could
> wreck havoc on your system. If he did that, the .asc file wouldn't
> match up. Even if he put his own .asc file up there, it wouldn't match
> to Slackware's public key, and thus you'd know not to trust the
> package.
>
> .md5 is much easier. MD5 is a mathematical has function that basically
> converts one big number into a smaller hexadecimal number. The first
> number always computes to the second number. Two files the same name,
> same size, but with different data produce different MD5 hashes. So, if
> you download this iso or package and run the md5sum command on it, and
> that output doesn't match the .md5 file, something went wrong. Either
> you downloaded the wrong package or something went bad in your
> download.
>
> - --
> It is better to hear the rebuke of the wise,
> Than for a man to hear the song of fools.
> Ecclesiastes 7:5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iD8DBQFBWXnBlKR45I6cfKARAidqAJ9stwaQJVJzE0wLKJLg7G pXtw3epACfe9gb
> x1yzg3SSRfcolbABHJBI01c=
> =Xpix
> -----END PGP SIGNATURE-----



















































Reply With Quote