Bug 509339 - add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned content of images
Summary: add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned co...
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: pungi
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: David Cantrell
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-02 10:27 UTC by Till Maas
Modified: 2013-01-10 05:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-25 21:40:50 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Till Maas 2009-07-02 10:27:13 UTC
Description of problem:
Currently the only way to verify the contents of .treeinfo or the installer images is to download the .iso and the regarding -CHECKSUM file and check it. But e.g. preupgrade does not download the .iso but the *.img files, the kernel and the .treeinfo directly from a mirror. Therefore it is also not possible to easily verify these files. I guess the preupgrade way of updating is somehow popular, therefore it should be possible to do this securely.

I filed a bug against preupgrade for not verifying anything and not announcing this here: bug 509338

Comment 1 Bug Zapper 2009-11-16 10:36:11 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 2 Jesse Keating 2010-05-25 21:40:50 UTC
This is really a releng task item, rather than a pungi item, since pungi doesn't do the signing, releng does it after pungi is done.  I've created a ticket in trac, https://fedorahosted.org/rel-eng/ticket/3761 to cover this issue.


Note You need to log in before you can comment on or make changes to this bug.