.png)
2 weeks ago
1
Honestly I don't think signing their hashes would help, since most people are going to download the signature file at the same time as the hash file, so anyone who replaces the hash with a malicious one would also replace the signature file with a malicious one.
There is the "signature file" for the md5hashes ... and then there are the signatures (the actual public keys). The point of the "signature file" for the md5hashes is that it can be verified that it was someone who had the private key matching the associated public key.
Now anybody can create their own private+public key ... so it's good to try to verify that the person who created that it who they say they are. That's the old "web of trust" aspect and "signing key parties" which don't really exist anymore. Instead, I use the "trust over time" aspect. For most distros I've used, I've already added their public key to my gpg trusted box. But if someone's isn't there, I look at when it was created as well as use the wayback machine to see how long it has been used in context.
It only takes one of us who verifies signatures (and there are many) to expose a bad signature.
