[Grml] How to verify daily snapshot downloads

Bernhard Reiter bernhard at intevation.de
Wed Apr 19 11:08:19 CEST 2017


Hello,

today I've taken a look at a daily image for grml.org
and found no way to verify that the image I'm downloading actually is
from your build machines.

http://grml.org/daily/
leads me to something like 
http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/

where there are no OpenPGP signatures available.
and the https variant or the url does not show the files.

This is a problem because a downloader like can be attacked by serving a 
different iso file and the corresponding checksums. To prevent this attack 
you could 
a) also use https on the daily.grml.org server
b) Use a new OpenPGP build-key without password, publish the pubkey on the 
https mainsite and use the key in the automatic building process to generate 
the detached signatures.

Best Regards,
Bernhard
ps.: if you have a flattr account, I would have flattred you. :) Thanks for 
grml.

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/0c389b8c/attachment.sig>


More information about the Grml mailing list