Sign discovery images using GPG
|Assigned To:||Lukas Zapletal|
|Target version:||Image 3.0.0|
|Velocity based estimate||-|
The foreman discovery plugin says to verify the checksums by having you cat the included file and then run sha256sum over the files. I suppose this helps if you want to verify that it didn't get corrupted by the download. However, if someone was going to hack into the site and replace the tars, don't you think they'd replace the included SHA256SUM as well? I cannot find the expected sums anywhere online. The wiki page shows sums in the instructions [[http://theforeman.org/plugins/foreman_discovery/3.0/index.html#2.3.3Verifychecksums]], but they are obviously examples, as they are the same for every version.
#1 Updated by Lukas Zapletal almost 3 years ago
- Subject changed from Insufficient checksum validation to Sign discovery images using GPG
- Assigned To set to Lukas Zapletal
- Target version set to Image 3.0.0
Hello, we are aware of that. I will make sure the next fdi release is signed with our GPG keys.
#2 Updated by Lukas Zapletal over 2 years ago
- Status changed from New to Closed