As far as I can tell, you don't have PGP signatures on any of the files. Also, the md5 sums are on the same ftp servers as the ISO, which basically means anyone who compromises the FTP server can also upload the md5 sums for their trojan versions. (Note that I'm not making a distinction between PGP implementations. OpenPGP is actually preferable, and I know you have gpg available to you.) Reproducible: Always Steps to Reproduce: 1. Look at any mirror, any CD image. 2. See that there's no associated .sig file, or any other file which suggests it contains PGP signatures. 3.
best thing would be to integrate with catalyst that way we get stages signed too for free
we now sign our releases using ascii armored signatures As for catalyst automatically doing it, I would rather that I do it by hand so that the integrity is assured.