Project

General

Profile

Actions
Copy link

Bug #11359

closed

Sign discovery images using GPG

Added by Anonymous over 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Image
Target version:
Discovery Image 3.0.0
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The foreman discovery plugin says to verify the checksums by having you cat the included file and then run sha256sum over the files. I suppose this helps if you want to verify that it didn't get corrupted by the download. However, if someone was going to hack into the site and replace the tars, don't you think they'd replace the included SHA256SUM as well? I cannot find the expected sums anywhere online. The wiki page shows sums in the instructions [[http://theforeman.org/plugins/foreman_discovery/3.0/index.html#2.3.3Verifychecksums]], but they are obviously examples, as they are the same for every version.

Actions
Copy link
 #1

Updated by Lukas Zapletal over 9 years ago

  • Subject changed from Insufficient checksum validation to Sign discovery images using GPG
  • Assignee set to Lukas Zapletal
  • Target version set to Discovery Image 3.0.0

Hello, we are aware of that. I will make sure the next fdi release is signed with our GPG keys.

Actions
Copy link
 #2

Updated by Lukas Zapletal about 9 years ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF