[Grml] How to verify daily snapshot downloads
Bernhard Reiter
bernhard at intevation.de
Wed Apr 19 11:08:19 CEST 2017
Hello,
today I've taken a look at a daily image for grml.org
and found no way to verify that the image I'm downloading actually is
from your build machines.
http://grml.org/daily/
leads me to something like
http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
where there are no OpenPGP signatures available.
and the https variant or the url does not show the files.
This is a problem because a downloader like can be attacked by serving a
different iso file and the corresponding checksums. To prevent this attack
you could
a) also use https on the daily.grml.org server
b) Use a new OpenPGP build-key without password, publish the pubkey on the
https mainsite and use the key in the automatic building process to generate
the detached signatures.
Best Regards,
Bernhard
ps.: if you have a flattr account, I would have flattred you. :) Thanks for
grml.
--
www.intevation.de/~bernhard +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/0c389b8c/attachment.sig>
More information about the Grml
mailing list