|Summary:||automated signing of weekly builds for verification|
|Product:||Gentoo Release Media||Reporter:||sf <sf-gentoo>|
|Component:||InstallCD||Assignee:||Gentoo Release Team <releng>|
|Severity:||major||CC:||dabbott, infra-bugs, u43551|
|Package list:||Runtime testing required:||---|
Description sf 2009-07-10 14:25:59 UTC
The handbook says to verify the signature of the downloaded iso image. But there is none to download. The system could be compromised from the very beginning Reproducible: Always Steps to Reproduce:
Comment 1 Robin Johnson 2009-08-09 01:18:59 UTC
agaffney: how do you want to handling signing of the autobuilds? Maybe a new autobuilds-dedicated key for automation?
Comment 2 Andrew Gaffney (RETIRED) 2009-08-09 04:02:05 UTC
We need a new key, anyway. The old signing key was for firstname.lastname@example.org. Can you take care of it? I'm not familiar with gnupg and the signing process.
Comment 3 Hank Leininger 2009-08-18 19:18:34 UTC
Just a "me too" on this. The weak/inconsistent signing of ebuilds is one thing; not even having signed install media (.iso and stage3 tarballs) is a big step backwards. Welcome to the 1990's.
Comment 4 Andrew Gaffney (RETIRED) 2009-08-24 20:44:04 UTC
*** Bug 282478 has been marked as a duplicate of this bug. ***
Comment 5 Robin Johnson 2009-08-24 20:52:25 UTC
ETA is later this week for me to update the bits of scripts and stuff needed to start doing automated signing of the weekly release files. I'll sign on osprey, when the files arrive from poseidon, adding a .asc file for each .DIGESTS.
Comment 6 Robin Johnson 2009-08-25 22:48:25 UTC
Ok, it's live now, but still being tested. pub 4096R/2D182910 2009-08-25 [expires: 2013-08-24] Key fingerprint = 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910 uid Gentoo Linux Release Engineering (Automated Weekly Release Key) <email@example.com> I'll announce it on the mailing lists in a day or two, after I'm 100% certain that it's working properly (need to wait for some releases to spin and come in).