GPG Keys and hashes of popular Linux distributions


#1

I would like to suggest to regularily broadcast the gpg keys and hashes used by popular Linux distributions and its installation media.

Somebody might have a way to get a copy of an installation CD or a USB Stick - in this way they have additionally the possibility to verify that the installation has not been tampered with.

This feature might be even usable in countries were good internet connection is available but you can’t trust your provider.

Additionally this information should be very small to transmit.


#2

Do you know of any central location where such keys and hashes are collected (or some easy way to collect them)?


#3

First of alI I have to admit that I do not have a final ready to go solution.
The GPG Keys used for signing the hash files do certainly not change very often.

More Information can be for example found here: https://help.ubuntu.com/community/VerifyIsoHowto

Regarding collecting the hashes in an automated way should be rather easy to implement:
Parse through the download directories of the distribution servers and collect the hash + gpg files:
e.g. http://cdimage.ubuntu.com/releases/14.04/release/

If including this information is seriously considered, I might have a look if I could provide a sample impelementation…


#4

If this is done, I think outernet’s servers must download the hashes and signatures, verify them with the keys downloaded from ubuntu’s key server or any other sks key server (eg. pgp.mit.edu) and then broadcast them (both hash and sig in case end user wishes to verify the sig on their end). I think outernet’s servers should verify the signatures before broadcasting because outernet’s users may not have access to the internet. How will they access a key server and verify the signature?