Sign discovery images using GPG
|Assigned To:||Lukas Zapletal|
|Target version:||Image 3.0.0|
|Velocity based estimate||-|
The foreman discovery plugin says to verify the checksums by having you cat the included file and then run sha256sum over the files. I suppose this helps if you want to verify that it didn't get corrupted by the download. However, if someone was going to hack into the site and replace the tars, don't you think they'd replace the included SHA256SUM as well? I cannot find the expected sums anywhere online. The wiki page shows sums in the instructions [[http://theforeman.org/plugins/foreman_discovery/3.0/index.html#2.3.3Verifychecksums]], but they are obviously examples, as they are the same for every version.
#2 Updated by Lukas Zapletal about 2 years ago
- Status changed from New to Closed