Bug 509339 - add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned content of images
add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned co...
Product: Fedora
Classification: Fedora
Component: pungi (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-07-02 06:27 EDT by Till Maas
Modified: 2013-01-10 00:16 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-05-25 17:40:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Till Maas 2009-07-02 06:27:13 EDT
Description of problem:
Currently the only way to verify the contents of .treeinfo or the installer images is to download the .iso and the regarding -CHECKSUM file and check it. But e.g. preupgrade does not download the .iso but the *.img files, the kernel and the .treeinfo directly from a mirror. Therefore it is also not possible to easily verify these files. I guess the preupgrade way of updating is somehow popular, therefore it should be possible to do this securely.

I filed a bug against preupgrade for not verifying anything and not announcing this here: bug 509338
Comment 1 Bug Zapper 2009-11-16 05:36:11 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
Comment 2 Jesse Keating 2010-05-25 17:40:50 EDT
This is really a releng task item, rather than a pungi item, since pungi doesn't do the signing, releng does it after pungi is done.  I've created a ticket in trac, https://fedorahosted.org/rel-eng/ticket/3761 to cover this issue.

Note You need to log in before you can comment on or make changes to this bug.