[Grml] How to verify daily snapshot downloads

Bernhard Reiter bernhard at intevation.de
Wed Apr 19 11:08:19 CEST 2017


today I've taken a look at a daily image for grml.org
and found no way to verify that the image I'm downloading actually is
from your build machines.

leads me to something like 

where there are no OpenPGP signatures available.
and the https variant or the url does not show the files.

This is a problem because a downloader like can be attacked by serving a 
different iso file and the corresponding checksums. To prevent this attack 
you could 
a) also use https on the daily.grml.org server
b) Use a new OpenPGP build-key without password, publish the pubkey on the 
https mainsite and use the key in the automatic building process to generate 
the detached signatures.

Best Regards,
ps.: if you have a flattr account, I would have flattred you. :) Thanks for 

www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/0c389b8c/attachment.sig>

More information about the Grml mailing list