Summary: | Provide installation files with attached GPG signature and make them default in the handbook | ||
---|---|---|---|
Product: | Gentoo Release Media | Reporter: | terabit.funtoo |
Component: | Everything | Assignee: | Gentoo Release Team <releng> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | bruce |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
terabit.funtoo
2016-06-29 08:08:28 UTC
This should be standard in all distros and it's shocking that it's not. Please fix this. The files now have a direct detached signature. Which means that * they still can be used without resorting to gpg * the verification is as easy as the "decryption" step you mention gpg --verify install.....asc I'd say this is fixed. (In reply to Andreas K. Hüttel from comment #2) > The files now have a direct detached signature. > > Which means that > * they still can be used without resorting to gpg > * the verification is as easy as the "decryption" step you mention > > gpg --verify install.....asc > > I'd say this is fixed. Hello Andreas, (Note: sorry if I explain something you already know, it’s just to provide technical arguments for my request) The current detached signatures available on the mirrors for stage3 and ISO are signing the whole file instead of their respective DIGESTS files. A better approach would to sign those DIGESTS files (both could be okay). This allows to download only the DIGESTS and its signature on a reliable system (small files), and only the archive (big file) and its DIGESTS only on the target machine. Then, you verify the content of the DIGESTS file on your reliable system thanks to the GPG signature, and on the target system, you only need to check the checksum of the archive. Currently, because there is no signed DIGESTS, this takes more time to verify it, specially on the reliable system: In current situation, we also need to download the archive, its DIGESTS and its signature files. Then, we verify the whole archive with its signature -- which takes way more time than a small file such as the DIGESTS --, check now the checksum(s) -- so second (or more) reads of the whole archive -- to decided if the file is verbatim. All these recent modifications make the current handbook outdated, as I raised through discussion https://wiki.gentoo.org/wiki/Handbook_Talk:AMD64/Installation/Stage#Updates_accordingly_the_signature_verification_process I will be really glad to see such a reliable process. I might make some errors, and will be happy to understand them. Best regards, (In reply to Thibaud "thican" CANALE from comment #3) ../.. > Hello Andreas, ../.. > Best regards, Thanks to your answer on IRC, I made me notice the DIGESTS files are already inline signed. I like this solution, and its also very reliable. Thanks for your support. |