Red Hat Bugzilla – Bug 509339
add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned content of images
Last modified: 2013-01-10 00:16:52 EST
Description of problem:
Currently the only way to verify the contents of .treeinfo or the installer images is to download the .iso and the regarding -CHECKSUM file and check it. But e.g. preupgrade does not download the .iso but the *.img files, the kernel and the .treeinfo directly from a mirror. Therefore it is also not possible to easily verify these files. I guess the preupgrade way of updating is somehow popular, therefore it should be possible to do this securely.
I filed a bug against preupgrade for not verifying anything and not announcing this here: bug 509338
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.
More information and reason for this action is here:
This is really a releng task item, rather than a pungi item, since pungi doesn't do the signing, releng does it after pungi is done. I've created a ticket in trac, https://fedorahosted.org/rel-eng/ticket/3761 to cover this issue.