On Tue, 28 Feb 2012 06:56:38 -0500
Nico Kadel-Garcia <[log in to unmask]> wrote:

> On Tue, Feb 28, 2012 at 6:44 AM, Horvath Andras <[log in to unmask]>
> wrote:
> 
> > Hi William,
> >
> > Thanks for the suggestion, but actually that's not what I'm looking
> > for.
> >
> > When I download an ISO, I also download the SHA1SUM file too to
> > check the integrity of the ISO file. But because these 2 files come
> > down through an unencrypted line, I cannot be sure that nobody has
> > tempered with both of them at the same time, changing the ISO file,
> > and then change the SHA1SUM file too to make it match the file.
> >
> > AFAIK other Linux distros do sign their SHA or MD5 summary files,
> > like for example Debian, here:
> > http://cdimage.debian.org/debian-cd/6.0.4/amd64/iso-cd/
> >
> > Once I stored the GPG key, then check the signatures with it after
> > all. The SUMS keep changing, but the keys don't.
> >
> > I think it's practical, hence the reason I wanted to figure this
> > out.
> >
> > Thanks
> >
> Oh, yeah, OK. What' you're referring to has little to nothing to do
> with encryption of the channel. It's *provenance* of the ISO image and
> checksums, establishing that the binary material on the mirror server
> is, in fact, that provided by our faithful software authors.
> 
> In this case, you can get the  checksums from the primary website at
> http://ftp.scientificlinux.org/linux/scientific/, and get the iso
> files anywhere you want. I still think it's a good idea to add this,
> though, just as the RPM's themselves are GPG signed.

That's what I follow currently, but the question still persists:

The primary website is a plain unencrypted http too, so it is easy to
modify the data on the gateways during the download.

I understand that I cannot even make sure to get the right GPG key if I
try to get it from anywhere the web without contacting the person. But
since the SHASUMS keep changing constantly and the GPG keys probably
don't (or very rarely) - I would believe it more safety.