[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rawhide signing and other such things



On Tue, 26 Oct 2004, seth vidal wrote:

> I've been reading the thread of complaints about rawhide being unsigned.
> 
> The problem is, of course, a feasibility of getting the pkgs signed in a
> semi-secure format.
> 
> What if we did the following:
> 
> we added functions to anything that reads repomd.xml to check for a gpg
> signature in a detached file.
> 
> Then we could verify that the repomd.xml file is the original one.
> 
> That lets us know that the sha1 or md5 checksums in the repomd.xml file
> pointing to the primary, filelists, other and groups metadata are valid.
> 
> if the metadata.xml files match the checksum from the signed and
> verified repomd.xml then we know those files are valid.
> 
> Now Each package entry contains a package id in the metadata.
> 
> that id is either and md5sum or a sha1sum of the package file itself.
> 
> So now, if we download that file and the md5sum or sha1sum matches what
> is in the metadata xml files then we know it is valid too.
> 
> This at least gets us to a point where we can reasonably trust the
> packages from the repository based on a single signature for the
> repomd.xml file.
> 
> 
> What do y'all think? Would that be workable?

That's basically how apt's "authenticated repositories" work.

	- Panu -


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]