So today whilst I was navigating the Manjaro website I have discovered a broken link that is used for security validation in relation to ISO's, the link need's fixing ASAP, and I would also check the validity of it's related ISO's at the same time, just to be sure nothing has been compromised.
What's the link?
What page is it on?
PS: I'm pretty sure the checksums are written directly on the download pages.
Try and download the GPG Sig: https://manjaro.org/download/bspwm/
I've edited the thread title to make it clear what the issue actually is.
Okay, just wanted to get someone's attention to get it fixed, from a security standpoint I didn't want to highlight the issue Immediately
It's not really a security issue with the website.
Yeah. I see the problem.
The Signature link links to the
manjaro project on OSDN and not the
manjaro-community project, which is the correct one.
The point I am trying to make is, how am I supposed to know that it's just human error that's occurred and that someone hasn't compromised the webpage, just thinking beyond what's right in front of me, for example, how can I be sure that the link to the ISO hasn't been tampered with without going out of my way to check? A broken GPG sig link doesn't instill a huge amount of confidence in the ISO I have downloaded being safe, not saying it isn't safe, just theory
I guess what I am trying to say is, I would rather be safe than sorry.
That's what the checksums are for.
Which are based on the ISO's integrity if I am not mistaken, so, if the ISO had been tampered with, and the Checksum updated, you wouldn't be able to tell the difference as it would all come through as fine. Unless I misunderstand how checksum's can be updated?
Checksums are generated before the ISO is uploaded to the server.
When it's uploaded, the webpage is updated, by the web maintainer, with the correct checksum of the ISO that got uploaded.
I have corrected the link on the page now. Thanks for reporting!
Sorry for the late reply, glad I could help , thanks for sorting it out!
Tested the link, correct iso was downloaded.