Bug 117647

Summary: Sign the installer binaries?
Product: [Fedora] Fedora Reporter: Chris Adams <linux>
Component: distributionAssignee: Bill Nottingham <notting>
Status: CLOSED WONTFIX QA Contact: Bill Nottingham <notting>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: barryn, rvokal
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-30 20:40:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Adams 2004-03-06 04:07:25 UTC 
All the distribution RPMs are signed, so they can be verified.  The
MD5SUMs file is signed and can be verified (so CD images can be
checked for "authenticity"), but remastering into a DVD is becoming
more common.  Unless there is an "official" FC DVD image (and as a
mirror, I'm not looking forward to that from a disk space
perspective), it would be nice if Red Hat/the Fedora Project would
come up with a way of signing the non-RPM binaries used in
installation (or signing an MD5SUM type file, maybe with a
verification script provided).

I think the important files are everything under the Fedora/base and
the kernel and initrd files under the images directory.

Just kind of "thinking out loud" as I was burning my own DVD of FC2t1;
I know people that'd like a copy of FC2 release on DVD, but how can
they verify that I didn't tamper with it?  I could mess with the
installer so that it didn't install exactly the RPMs on the disk. 
Maybe I'm just paranoid. :-)
Comment 1 Barry K. Nathan 2004-07-17 04:25:09 UTC 
Well, there are official FC DVD ISO images now, for what that's worth...
Comment 2 Bill Nottingham 2005-09-30 20:40:46 UTC 
Closing bugs on older, no longer supported, releases. Apologies for any lack of
response.

With official DVD releases and signed MD5SUMS of those, further changes aren't
planned.