FS#47775 - {archweb} Confirm PGP signing key, fingerprint for ISOs on download page.

Attached to Project: Arch Linux
Opened by Loui Chang (louipc) - Saturday, 16 January 2016, 04:47 GMT
Last edited by freswa (frederik) - Thursday, 10 September 2020, 13:04 GMT
Task Type Support Request
Category Web Sites
Status Closed
Assigned To Dan McGee (toofishes)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

It's not really clear whether the signature is authentic from the download page.

Add signing key data to page.
Also link to https://www.archlinux.org/master-keys/

Thanks.
This task depends upon

Closed by  freswa (frederik)
Thursday, 10 September 2020, 13:04 GMT
Reason for closing:  Fixed
Comment by Doug Newgard (Scimmia) - Saturday, 16 January 2016, 07:07 GMT
I have no idea what you're asking for. The ISO is signed by Gerardo Pozzi, so it's already on the page you linked to.
Comment by Loui Chang (louipc) - Saturday, 16 January 2016, 18:07 GMT
No where on that page does the text 'Gerardo Pozzi' appear, neither does his keyid or fingerprint.

And actually the sig (archlinux-2016.01.01-dual.iso.sig) that I checked belongs to:

"Pierre Schmitz <pierre@archlinux.de>"
keyid "7F2D434B9741E8AC"
fingerprint "4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC"

I will have to download the master keys to verify this is authentic because it is not mentioned anywhere on the download page.
So the signing key should be explicitly mentioned on the download page as well as a link to master keys if someone wants extra verification.
Comment by Doug Newgard (Scimmia) - Saturday, 16 January 2016, 18:28 GMT
I think your "find" function is broken, because Gerardo Pozzi most certainly is on that page. I wasn't aware that Pierre was doing ISOs, but that's not a problem as his key is listed on that same page. I have no idea why you think you have to download the master keys to verify it.
Comment by Loui Chang (louipc) - Saturday, 16 January 2016, 19:48 GMT
Please point to where it is on that page including keyid and fingerprint. Thanks.
https://www.archlinux.org/download/
Comment by Doug Newgard (Scimmia) - Sunday, 17 January 2016, 05:07 GMT
I said on the page you linked to. That is not the page you linked to.
Comment by Loui Chang (louipc) - Sunday, 17 January 2016, 07:45 GMT
You missed where I mentioned 'download page'. Cheers
Comment by Jelle van der Waa (jelly) - Wednesday, 07 June 2017, 19:41 GMT
To add this to the download page, either the "Release" object has to have an extra field for the fingerprint. Or change the syncisos command:
The syncisos command fetchs the isos from a mirror (e.g. set ISO_LIST_URL = 'http://mirrors.kernel.org/archlinux/iso/ in your local_settings.py) and then imports the names of the iso.
It could theoretically fetch the sig and extract the pubkey id and get the sha512 / md5 sum. But security wise that might not be wanted.

Loading...