Summary: | Handbook contains incorrect instructions for GPG verification of install iso images. | ||
---|---|---|---|
Product: | [OLD] Docs on www.gentoo.org | Reporter: | rhywek |
Component: | Installation Handbook | Assignee: | nm (RETIRED) <nightmorph> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | docs-team, klaas.decanniere |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
rhywek
2009-09-01 12:33:29 UTC
I just haven't gotten to updating the docs with the new key that was generated per bug 277319. I do confirm that key 2D182910 IS 100% correct, and that it has been uploaded to the keyservers. Reassigning to robbat2. Robin, whatever changes you make to the installation handbooks, please be very careful not to add instructions that only apply to the autobuilds -- see bug 260403. Thanks. nightmorph: Can we just list both keys in the handbook? I'm also making a new page in the releng project listing keys. (In reply to comment #3) > nightmorph: > Can we just list both keys in the handbook? > > I'm also making a new page in the releng project listing keys. > We can't mix autobuild instructions/info with non-autobuild info; that's why the handbook rewrite has taken so long -- it has to be updated all at once. However, if you can find a way to mention both keys, maybe in a table or some kinda tricky wording that doesn't mention "weekly", then be my guest. :) Will the old key be used ever again, or is it only kept around to verify the 200X.x releases? The releng site is updated: http://www.gentoo.org/proj/en/releng/ And the keys have been mailed to the lists. So all that's left is the handbook, which I see was actually already wrong for 2008.0, as we only shipped the .asc on the DIGESTS, not on the files directly. New instructions in that file: <pre caption="Verify the cryptographic signature"> $ <i>gpg --verify <foo.DIGESTS.asc></i> </pre> <pre caption="Verify the checksum"> $ <i>sha1sum -c <foo.DIGESTS.asc></i> </pre> The handbook should have similar, as well as listing the possible keys. Thanks, that section is what the releng website really needed! You just put the creation and expiration dates in wrong columns for the 0x2D182910 key, I guess. I think the foo.DIGESTS file is not needed, as the checksum is calculated from foo.DIGESTS.asc directly, so foo.DIGESTS only creates confusion. (In reply to comment #5) > The releng site is updated: > http://www.gentoo.org/proj/en/releng/ > > And the keys have been mailed to the lists. > > So all that's left is the handbook, which I see was actually already wrong for > 2008.0, as we only shipped the .asc on the DIGESTS, not on the files directly. > > New instructions in that file: > > <pre caption="Verify the cryptographic signature"> > $ <i>gpg --verify <foo.DIGESTS.asc></i> > </pre> > <pre caption="Verify the checksum"> > $ <i>sha1sum -c <foo.DIGESTS.asc></i> > </pre> > > The handbook should have similar, as well as listing the possible keys. > Sounds good to me. (In reply to comment #4) > We can't mix autobuild instructions/info with non-autobuild info; that's why > the handbook rewrite has taken so long -- it has to be updated all at once. > > However, if you can find a way to mention both keys, maybe in a table or some > kinda tricky wording that doesn't mention "weekly", then be my guest. :) In the --recv instructions, just include BOTH keys on the commandline. In the wording, simply state that there are one of two keys used. > Will the old key be used ever again, or is it only kept around to verify the > 200X.x releases? The "old" key is going to be used for non-automated releases still. (In reply to comment #6) > You just put the creation and expiration dates in wrong columns for the > 0x2D182910 key, I guess. Err, I don't see that. The creation date lists 2009/08/25 with expiry in 2013/08/24. > I think the foo.DIGESTS file is not needed, as the checksum is calculated from > foo.DIGESTS.asc directly, so foo.DIGESTS only creates confusion. It's there simply for users that might want it. (In reply to comment #9) > (In reply to comment #6) > > You just put the creation and expiration dates in wrong columns for the > > 0x2D182910 key, I guess. > Err, I don't see that. The creation date lists 2009/08/25 with expiry in > 2013/08/24. > Yesterday the "Created" column was empty, "Expires" had "2009/08/25" in it, and "Revoked" contained "2013/08/24", but I see it's been fixed. The releng page has been updated for a while, any remaining issues are handbook only. *** Bug 297571 has been marked as a duplicate of this bug. *** Fixed: alpha amd64 x86 Other arches on the way. I fixed the rest of the handbooks to use the new releng key and verification process. |