Add authenticity check when downloading eOS
- /e/ version: all
- Device model: all
Summary
Add an authenticity check when downloading the eOS installer
This improvement concerns
-
Privacy and security
Description
What is the current behavior?
It is possible to make an integrity check thanks to the checksum files (MD5 and SHA256).
What is the improved behavior?
The checksum files should be authenticated by a PGP signature.
What does it bring?
This would ensure that the downloaded file is the one put online by the e.foundation. Otherwise the zip file and the checksum files could be replaced by corrupt files if the website has been compromised.
How to do it
Make it easy to download the e.foundation public key from a secure server. Sign the checksum files with e.foundation public key. Document the verification process.
Examples
Example of how Linux Mint does it : https://linuxmint.com/verify.php
Validation
Authentication process is clear and easy to follow.