This is less a help request and more or an inquiry/suggestion?
I know I’m only here a short while but I’ve noticed that the repos are not signed.
I’ve seen at least one post where the user downloaded from a non-authorized source.
Can I ask what is involved for this distro to create a verified repo?
Looking at the parrot.list it looks like there are multiple places that are willing to support us. If might be helpful to create a signed certificate and share it with the people willing to host the repos so that we can ensure some integrity of code sharing?
Again, very new here so I don’t know what’s gone on in the past. If anyone would be willing to share or point me in the direction of any conversations around this topic I’d be happy to deep dive and educate myself on the topic
check the hash preferably SHA 256 of your version of .iso with host command shell using command : shasum followed by the hash. It should correspond if not it is tampered. the hash is under the download button.
So, that bring me to not only the fact that I’m checked unverified after a flame yesterday about this push upgrade that leaves us all vulnerable if I question things… I think I’m going back to kali or whatever soon, they never respond here of is a contra productive response in a matter that is out this OS context but any info about upgrade or announcements? not a letter.
Thanks beatmotorpull. Excellent advice, but I was not referring to the iso. I’m referring to post install and you want to update or add new applications from repos.
There are the official ones that come with the install but there was also a thread earlier about someone downloading from another site (which I suspect was not official and might contain malware).
I’m teaching linux and the distro we are using is Red Hat. They have their repos signed and in the config file that points to each repo there is a gpg_check = true statement. This requires that the repo not be used unless it has signed as authentic.
Since it is gpg and parrot seems to have a goodly number of places willing to host the repos, it would seem a relatively straight forward matter to sign these repos. Not trivial but straight forward.