Red Hat Bugzilla – Bug 117647
Sign the installer binaries?
Last modified: 2014-03-16 22:43:00 EDT
All the distribution RPMs are signed, so they can be verified. The
MD5SUMs file is signed and can be verified (so CD images can be
checked for "authenticity"), but remastering into a DVD is becoming
more common. Unless there is an "official" FC DVD image (and as a
mirror, I'm not looking forward to that from a disk space
perspective), it would be nice if Red Hat/the Fedora Project would
come up with a way of signing the non-RPM binaries used in
installation (or signing an MD5SUM type file, maybe with a
verification script provided).
I think the important files are everything under the Fedora/base and
the kernel and initrd files under the images directory.
Just kind of "thinking out loud" as I was burning my own DVD of FC2t1;
I know people that'd like a copy of FC2 release on DVD, but how can
they verify that I didn't tamper with it? I could mess with the
installer so that it didn't install exactly the RPMs on the disk.
Maybe I'm just paranoid. :-)
Well, there are official FC DVD ISO images now, for what that's worth...
Closing bugs on older, no longer supported, releases. Apologies for any lack of
With official DVD releases and signed MD5SUMS of those, further changes aren't