Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 277319

Summary: automated signing of weekly builds for verification
Product: Gentoo Release Media Reporter: sf <sf-gentoo>
Component: InstallCDAssignee: Gentoo Release Team <releng>
Status: RESOLVED FIXED    
Severity: major CC: dabbott, infra-bugs, u43551
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description sf 2009-07-10 14:25:59 UTC
The handbook says to verify the signature of the downloaded iso image. But there is none to download. The system could be compromised from the very beginning

Reproducible: Always

Steps to Reproduce:
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-08-09 01:18:59 UTC
agaffney: how do you want to handling signing of the autobuilds? Maybe a new autobuilds-dedicated key for automation?
Comment 2 Andrew Gaffney (RETIRED) gentoo-dev 2009-08-09 04:02:05 UTC
We need a new key, anyway. The old signing key was for wolf31o2@gentoo.org. Can you take care of it? I'm not familiar with gnupg and the signing process.
Comment 3 Hank Leininger 2009-08-18 19:18:34 UTC
Just a "me too" on this.  The weak/inconsistent signing of ebuilds is one thing; not even having signed install media (.iso and stage3 tarballs) is a big step backwards.  Welcome to the 1990's.
Comment 4 Andrew Gaffney (RETIRED) gentoo-dev 2009-08-24 20:44:04 UTC
*** Bug 282478 has been marked as a duplicate of this bug. ***
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-08-24 20:52:25 UTC
ETA is later this week for me to update the bits of scripts and stuff needed to start doing automated signing of the weekly release files.

I'll sign on osprey, when the files arrive from poseidon, adding a .asc file for each .DIGESTS.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-08-25 22:48:25 UTC
Ok, it's live now, but still being tested.

pub   4096R/2D182910 2009-08-25 [expires: 2013-08-24]
      Key fingerprint = 13EB BDBE DE7A 1277 5DFD  B1BA BB57 2E0E 2D18 2910
uid                  Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@gentoo.org>

I'll announce it on the mailing lists in a day or two, after I'm 100% certain that it's working properly (need to wait for some releases to spin and come in).