On Wed, Jun 29, 2016 at 02:46:26PM -0700, Yuri wrote: > On 06/29/2016 14:32, Glen Barber wrote: > >But you raise a good point, poudriere does not have a good way to > >validate the base.txz unless it also unpacks bootonly.iso (or any of the > >installer media) and compares the checksums. > > > The possible solution is that poudriere should supply a public key as a part > of the package, and all binaries that it downloads are also signed with the > corresponding private key. >
If I understand what you mean correctly, that would imply poudriere is
responsible for the contents of base.txz, which it is not. I think the
better solution (if I understood correctly) is RE needs to PGP-sign the
releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
it in the announcement email for the release, as well as on the website.
Please correct me if I did misunderstand.
This way, poudriere could verify the hash of the file against what it
has downloaded, in addition to verifying the PGP fingerprint.
Glen
signature.asc
Description: PGP signature
