Hi William,

Thanks for the suggestion, but actually that's not what I'm looking for.

When I download an ISO, I also download the SHA1SUM file too to check
the integrity of the ISO file. But because these 2 files come down
through an unencrypted line, I cannot be sure that nobody has tempered
with both of them at the same time, changing the ISO file, and then
change the SHA1SUM file too to make it match the file.

AFAIK other Linux distros do sign their SHA or MD5 summary files, like
for example Debian, here:
http://cdimage.debian.org/debian-cd/6.0.4/amd64/iso-cd/

Once I stored the GPG key, then check the signatures with it after all.
The SUMS keep changing, but the keys don't.

I think it's practical, hence the reason I wanted to figure this out.

Thanks.


Andras


On Tue, 28 Feb 2012 02:04:56 -0800 (PST)
William Shu <[log in to unmask]> wrote:

> Dear Horvath,
> I suppose you mean values for Scientific Linux iso's? They are found
> in the relevant iso directories. For example:
> http://ftp1.scientificlinux.org/linux/scientific/6.1/i386/iso/SHA1SUM
> http://ftp1.scientificlinux.org/linux/scientific/6.1/x86_64/iso/SHA1SUM
> 
> 
> William.
> 
> 
> 
> 
> >________________________________
> > From: Horvath Andras <[log in to unmask]>
> >To: [log in to unmask] 
> >Sent: Tuesday, February 28, 2012 8:39 AM
> >Subject: digital signatures for SHASUMS, where?
> > 
> >Dear List,
> >
> >Could anyone kindly tell me where I can find any digital signatures
> >that belong to the SHA1SUM or other hashes of the downloadable .iso
> >files (installer and live ISO)?
> >
> >Since the ISO files have to be downloaded through an unencrypted FTP
> >or HTTP connection along with their hash files, both could easily be
> >manipulated and changed on the way to the user's machine.
> >
> >What am I missing here?
> >
> >
> >Thanks!
> >
> >
> >