rawhide signing and other such things
seth vidal
skvidal at phy.duke.edu
Tue Oct 26 05:37:11 UTC 2004
I've been reading the thread of complaints about rawhide being unsigned.
The problem is, of course, a feasibility of getting the pkgs signed in a
semi-secure format.
What if we did the following:
we added functions to anything that reads repomd.xml to check for a gpg
signature in a detached file.
Then we could verify that the repomd.xml file is the original one.
That lets us know that the sha1 or md5 checksums in the repomd.xml file
pointing to the primary, filelists, other and groups metadata are valid.
if the metadata.xml files match the checksum from the signed and
verified repomd.xml then we know those files are valid.
Now Each package entry contains a package id in the metadata.
that id is either and md5sum or a sha1sum of the package file itself.
So now, if we download that file and the md5sum or sha1sum matches what
is in the metadata xml files then we know it is valid too.
This at least gets us to a point where we can reasonably trust the
packages from the repository based on a single signature for the
repomd.xml file.
What do y'all think? Would that be workable?
-sv
More information about the fedora-devel-list
mailing list