My first post here. I’m considering switching from Debian to PureOS because it guarantees that its distribution contains only free software. Great for me! Having used Debian for a long time, I’m used to verifying the checksum and signature of every .iso file I download. I’m now learning that PureOS takes a different approach to Debian when it comes to signing ISOs. Here and here I read that I should trust the Let’s Encrypt certificate, whilst here I see a request to add a .sign file dating back to 2018, on which I can’t find any further updates.
I would like an explanation and confirmation as to whether it is indeed correct to simply trust the Let’s Encrypt certificate, and I would like to understand PureOS’s reasons for not issuing .sign files for the ISOs.
Perhaps I didn’t explain myself clearly, sorry. For me this is sufficent now that I need to choose a new operating system after losing my Debian installation from before 2022.
Could you please give me your views on the matter of PureOS signing ISO files?
I wouldn’t take calosgonz’s word too seriously. PureOS does meet the definition of a Free OS. carlosgonz has been on a crusade to slander those that don’t follow his definition of Free Software, which doesn’t align with the FSF.
I think they should sign their ISO checksum files. It would be consistent with the fact that their “Core People” page listed the public keys for their staff/employees/associates. I’ve said so on this forum before.
That said, those signatures are often misunderstood by the users. There is some confusion in regard to understanding the web-of-trust with GPG signatures — specifically, one shouldn’t trust the current web page to be an accurate indication of public signing keys.
Of course, similarly, one shouldn’t trust that Purism’s download page hasn’t been hacked just because its certificate is valid.
But I hope you are aware that most distros don’t just provide the checksum, they provide a signatures of the checksum file so that you can see if it was put there by somebody you
trust. Purism doesn’t do that. That was the OP’s point.
Also, maybe as a quick note, Purism believes in freedom and that means the freedom to do the wrong thing. That also means that even though I personally believe Privacy2 is a shill for some company other than Purism, who has publicly stated that they have never purchased Purism hardware nor probably ever will – and I’m guessing Privacy2 doesn’t use PureOS – they nevertheless are free to reply to you in any way of their choosing on these forums.
I do not personally verify the signatures of the PureOS isos before using them, so I am scarcely little help here other than encouraging you not to be dissuaded from Purism technology by naysayers.
But I wrote this message to you from PureOS. My non-checksum-verified version of the OS has been running nicely for me for years.
(And by “nicely” I mean to say that I am probably more compromised as an individual technologically than Privacy2 ever will be or ever has been. But I do not know it, and I live in denial, and denial is an enjoyable experience.)
Not only do you not verify ISO signatures … you can’t. That’s the point: Purism does not sign the ISO checksums.
It should cost them nothing to do. Yet it takes away my freedom to do a proper verification.
Everyone should take notice from the Mint hack in 2016. The hackers gave out compromised ISOs and they updated the checksum files for those compromised ISOs. The only way they were discovered is that the users who torrented non-hacked ISOs (only the http download links were hacked) couldn’t get their checksums to match the hacked checksum files.
I don’t. A few years back (approx 2018, when Rankin still worked for Purism), I was going to try out PureOS on a VM.
I didn’t because they weren’t signed. I had on online discussion with Rankin about it. It’s why I don’t trust Rankin’s viewpoints. IMO for a “privacy and security” company like Purism, it’s horrible that they don’t sign their checksum ISOs.
Interestingly, Purism does sign their debs for package updates. They place their public GPG keys in /etc/apt/trusted.gpg.d/pureos-archive-keyring.gpg. Clearly they think it’s important to verify package integrity. What’s clear to me, is that they don’t trust the PureOS users to understand how signatures work.
They don’t provide a signature. Therefore it is obviously impossible to verify a signature.
I agree. I think they should provide a signature.
(Strangely, they manage to sign the canary - and last time I did it, that verified correctly.)
Nah. That goes well beyond the available facts, in the absence of any actual statement for Purism.
It could equally be just a question of priorities (since this is not the first time this issue has been raised but it has not been addressed).
Also, as has been raised in this forum before, if you want to have an automated nightly build environment then hashing is easy but signing is not so easy (if you want the signature to mean something).
However signing the current official release is a separate question from signing a nightly build.
I wouldn’t take either of those as definitive statements from Purism.
In any case, if a distro wants to allow mirrors then there’s no way that a certificate provides that level of assurance. I mean obviously you do want the certificate for the site providing the download to be valid and appropriate - but you still need a signature on the downloaded contents.
You can’t tell me my own experiences. When I say “it’s clear to me”, I mean that. Part of why “it’s clear to me” is that I recall Rankin discussing with me how most people don’t actually make sure that the signing key is trusted. I agreed, but insisted that it would be useful for people who do understand. I can’t link that conversation because I can no longer find it … but it’s still “clear to me”.
I asked Gemini to help me. Gemini matched my memory, but did not give a link. [Because answers are irrelevant without the prompts. Prompt 1: “rankin purism PGP signature ISO”. Prompt 2 after it lied and said that Purism does sign their ISO checksums and that Rankin advocates for that I prompted: “No. Purism does not PGP sign their ISO checksums. And Rankin told me that they don’t intend to. Where is Rankin on record saying that they should?” ]
In practice at Purism, Rankin often defended the use of SHA256 sums over HTTPS for the general public because he viewed PGP as too complex for average users, potentially leading to a “false sense of security” if not done correctly.
That matches my memory of the conversation I had with Rankin c. 2018.
Also, it should be pointed out again that they sign all of their repo updates. I’m sure it was automated a long time ago and I’m not even sure what apt would do for unsigned dpkgs in the repo.
The argument would be that they would only provide mirrors for the ISOs and the checksums would be only on purism servers. That said, a certificate doesn’t mean that the server hasn’t been hacked.
My objection was to the idea that this is Purism’scurrent position i.e. objecting to “Purism doesn’t trust PureOS users to understand how signatures work”.
You are citing-by-recalling / relying on an AI??? regarding a single unknown conversation from (perhaps) 8 years ago with a single Purism employee who hasn’t been with Purism for quite some years. Isn’t the AI also lying (hallucinating) if it says “someone often did something” (my emphasis) but provides no supporting evidence whatsoever?
Don’t get me wrong. I agree with you..iso files should have a digital signature.
Technically speaking it is not at all important that any user understands how signatures work. It is important that users understand how to verify a signature or, better still, that signatures are verified by default and that users understand the risks in ignoring a failure in the verification / the risks in not verifying.
Rando option: The PureOS download web server to implement RFC9421? - so that HTTP messages are signed, and signature verification can be automatic in the browser.
Having used Debian for a long time, I’m used to verifying the checksum and signature of every .iso file I download. I’m now learning that PureOS takes a different approach to Debian when it comes to signing ISOs. Here and here I read that I should trust the Let’s Encrypt certificate, whilst here I see a request to add a .sign file dating back to 2018, on which I can’t find any further updates.
