Are signatures of system images verified?
Yuri
yuri at rawbw.com
Wed Jun 29 22:22:35 UTC 2016
On 06/29/2016 14:59, Glen Barber wrote:
> If I understand what you mean correctly, that would imply poudriere is
> responsible for the contents of base.txz, which it is not. I think the
> better solution (if I understood correctly) is RE needs to PGP-sign the
> releases/${TARGET}/${TARGET_ARCH}/X.Y-RELEASE/MANIFEST file, and include
> it in the announcement email for the release, as well as on the website.
>
> Please correct me if I did misunderstand.
>
> This way, poudriere could verify the hash of the file against what it
> has downloaded, in addition to verifying the PGP fingerprint.
Yes, only MANIFEST should be signed, I made a mistake suggesting that
all binaries should be signed.
I don't quite understand the connection between the poudriere run and
the announcement email. Could you please elaborate on this? Just
downloading something from the website isn't secure either.
Thank you,
Yuri
More information about the freebsd-pkgbase
mailing list