The handbook says to verify the signature of the downloaded iso image. But there is none to download. The system could be compromised from the very beginning
Steps to Reproduce:
agaffney: how do you want to handling signing of the autobuilds? Maybe a new autobuilds-dedicated key for automation?
We need a new key, anyway. The old signing key was for firstname.lastname@example.org. Can you take care of it? I'm not familiar with gnupg and the signing process.
Just a "me too" on this. The weak/inconsistent signing of ebuilds is one thing; not even having signed install media (.iso and stage3 tarballs) is a big step backwards. Welcome to the 1990's.
*** Bug 282478 has been marked as a duplicate of this bug. ***
ETA is later this week for me to update the bits of scripts and stuff needed to start doing automated signing of the weekly release files.
I'll sign on osprey, when the files arrive from poseidon, adding a .asc file for each .DIGESTS.
Ok, it's live now, but still being tested.
pub 4096R/2D182910 2009-08-25 [expires: 2013-08-24]
Key fingerprint = 13EB BDBE DE7A 1277 5DFD B1BA BB57 2E0E 2D18 2910
uid Gentoo Linux Release Engineering (Automated Weekly Release Key) <email@example.com>
I'll announce it on the mailing lists in a day or two, after I'm 100% certain that it's working properly (need to wait for some releases to spin and come in).