Closed konstantingoretzki closed 6 years ago
lots0logs
commented
6 years ago You are correct that the checksums are for data integrity only and not security. For security the entire iso image is signed with our GPG key. You can use GPG to verify the copy you download.
konstantingoretzki
commented
6 years ago Yeah but working with GPG signatures is circuitous from OSs like Windows. Why not just providing a strong hash which is for both - makes it a lot easier?
Wouldn't it be better to use another checksum like SHA-256 instead of the collisioned MD5 for the Antergos ISOs? I understand that the checksum is maybe only for integrity reasons if everything "is there", however I think that the integrity is also important on the security side, especially if I install an OS with the installer. Mainly if I download the ISOs from other OSs it's very circuitous to work with signature files, therefore I think it would be great to provide (strong!) checksums.