27734 – No PGP signatures for ISO images

Bug 27734 - No PGP signatures for ISO images

Summary: No PGP signatures for ISO images

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Hosted Projects
Classification:	Unclassified
Component:	Catalyst (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	John Davis (zhen) (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-09-01 14:26 UTC by Ed Grimm
Modified:	2004-04-26 08:00 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ed Grimm 2003-09-01 14:26:34 UTC

As far as I can tell, you don't have PGP signatures on any of the files.  Also, the md5 sums are on 
the same ftp servers as the ISO, which basically means anyone who compromises the FTP server can 
also upload the md5 sums for their trojan versions.  (Note that I'm not making a distinction 
between PGP implementations.  OpenPGP is actually preferable, and I know you have gpg available 
to you.)

Reproducible: Always
Steps to Reproduce:
1.  Look at any mirror, any CD image.
2.  See that there's no associated .sig file, or any other file which suggests it contains PGP 
signatures.
3.

Comment 1 SpanKY gentoo-dev

2004-04-01 11:44:19 UTC

best thing would be to integrate with catalyst that way we get stages signed too for free

Comment 2 John Davis (zhen) (RETIRED) gentoo-dev

2004-04-26 08:00:57 UTC

we now sign our releases using ascii armored signatures
As for catalyst automatically doing it, I would rather that I do it by hand so that the integrity is assured.