Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content

Add authenticity check when downloading eOS

  • /e/ version: all
  • Device model: all

Summary

Add an authenticity check when downloading the eOS installer

This improvement concerns

  • Privacy and security

Description

What is the current behavior?

It is possible to make an integrity check thanks to the checksum files (MD5 and SHA256).

What is the improved behavior?

The checksum files should be authenticated by a PGP signature.

What does it bring?

This would ensure that the downloaded file is the one put online by the e.foundation. Otherwise the zip file and the checksum files could be replaced by corrupt files if the website has been compromised.

How to do it

Make it easy to download the e.foundation public key from a secure server. Sign the checksum files with e.foundation public key. Document the verification process.

Examples

Example of how Linux Mint does it : https://linuxmint.com/verify.php

Validation

Authentication process is clear and easy to follow.