[Grml] How to verify daily snapshot downloads
Michael Prokop
mika at grml.org
Wed Apr 19 16:32:22 CEST 2017
* Michael Prokop [Wed Apr 19, 2017 at 03:32:17PM +0200]:
> * Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
> > today I've taken a look at a daily image for grml.org
> > and found no way to verify that the image I'm downloading actually is
> > from your build machines.
> > http://grml.org/daily/
> > leads me to something like
> > http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
> > where there are no OpenPGP signatures available.
> > and the https variant or the url does not show the files.
> > This is a problem because a downloader like can be attacked by serving a
> > different iso file and the corresponding checksums. To prevent this attack
> > you could
> > a) also use https on the daily.grml.org server
> > b) Use a new OpenPGP build-key without password, publish the pubkey on the
> > https mainsite and use the key in the automatic building process to generate
> > the detached signatures.
> Good idea, I'll add this to our todo list.
And https for daily.grml.org is already available, thanks to
Alexander 'formorer' Wirt.
regards,
-mika-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/4ad202d7/attachment.sig>
More information about the Grml
mailing list