Project

General

Profile

Actions

Bug #11359

closed

Sign discovery images using GPG

Added by Anonymous over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
Image
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

The foreman discovery plugin says to verify the checksums by having you cat the included file and then run sha256sum over the files. I suppose this helps if you want to verify that it didn't get corrupted by the download. However, if someone was going to hack into the site and replace the tars, don't you think they'd replace the included SHA256SUM as well? I cannot find the expected sums anywhere online. The wiki page shows sums in the instructions [[http://theforeman.org/plugins/foreman_discovery/3.0/index.html#2.3.3Verifychecksums]], but they are obviously examples, as they are the same for every version.

Actions #1

Updated by Lukas Zapletal over 8 years ago

  • Subject changed from Insufficient checksum validation to Sign discovery images using GPG
  • Assignee set to Lukas Zapletal
  • Target version set to Discovery Image 3.0.0

Hello, we are aware of that. I will make sure the next fdi release is signed with our GPG keys.

Actions #2

Updated by Lukas Zapletal over 8 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF