[Grml] How to verify daily snapshot downloads

Michael Prokop mika at grml.org
Wed Apr 19 16:32:22 CEST 2017

* Michael Prokop [Wed Apr 19, 2017 at 03:32:17PM +0200]:
> * Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:

> > today I've taken a look at a daily image for grml.org
> > and found no way to verify that the image I'm downloading actually is
> > from your build machines.

> > http://grml.org/daily/
> > leads me to something like 
> > http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/

> > where there are no OpenPGP signatures available.
> > and the https variant or the url does not show the files.

> > This is a problem because a downloader like can be attacked by serving a 
> > different iso file and the corresponding checksums. To prevent this attack 
> > you could 
> > a) also use https on the daily.grml.org server
> > b) Use a new OpenPGP build-key without password, publish the pubkey on the 
> > https mainsite and use the key in the automatic building process to generate 
> > the detached signatures.

> Good idea, I'll add this to our todo list.

And https for daily.grml.org is already available, thanks to
Alexander 'formorer' Wirt.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://ml.grml.org/pipermail/grml/attachments/20170419/4ad202d7/attachment.sig>

More information about the Grml mailing list