FS#52273 - [archiso] Stronger Hashes and GPG Fingerprint
Attached to Project:
Release Engineering
Opened by NicoHood (NicoHood) - Monday, 26 December 2016, 12:35 GMT
Last edited by David Runge (dvzrv) - Monday, 29 March 2021, 17:41 GMT
Opened by NicoHood (NicoHood) - Monday, 26 December 2016, 12:35 GMT
Last edited by David Runge (dvzrv) - Monday, 29 March 2021, 17:41 GMT
|
Details
As mentioned in the mailing list the download page misses
sha256 and sha512 message digests.
The GPG signature is included on the website but the used (full) fingerprint of the person who signed the ISO + his name/email should be visible on the website. Please add those so people can check the integrity of their ArchLinux Download securely. |
This task depends upon
Closed by David Runge (dvzrv)
Monday, 29 March 2021, 17:41 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.archlinux.org/archlinux/r eleng/-/issues/2 tracks the stronger checksum algorithms.
Use the archweb bug tracker for the other issues.
Monday, 29 March 2021, 17:41 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.archlinux.org/archlinux/r eleng/-/issues/2 tracks the stronger checksum algorithms.
Use the archweb bug tracker for the other issues.
gpg: assuming signed data in 'archlinux-2016.12.01-dual.iso'
gpg: Signature made Thu 01 Dec 2016 05:54:07 PM CET
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC
The download page should possibly also link to the fingerprint on the keyserver and to an explanation of the warning:
https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
https://pierre-schmitz.com/trust-the-master-keys/
https://www.archlinux.org/people/trusted-users/
Explanation:
https://lkml.org/lkml/2016/8/15/445
If I am correct for example our master key from pierre has some duplicate entries with the same 32bit ending. In this case he owns both keys, but one is revoked:
https://sks-keyservers.net/pks/lookup?op=vindex&search=pierre+archlinux&fingerprint=on
Nevertheless it should be changed to the full fingerprint too. For the same reasons why we require the full fingerprint in makepkg.