FS#52273 - [archiso] Stronger Hashes and GPG Fingerprint

Attached to Project: Release Engineering
Opened by NicoHood (NicoHood) - Monday, 26 December 2016, 12:35 GMT
Last edited by David Runge (dvzrv) - Monday, 29 March 2021, 17:41 GMT
Task Type Feature Request
Category ArchISO
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 5
Private No

Details

As mentioned in the mailing list the download page misses sha256 and sha512 message digests.
The GPG signature is included on the website but the used (full) fingerprint of the person who signed the ISO + his name/email should be visible on the website.
Please add those so people can check the integrity of their ArchLinux Download securely.
This task depends upon

Closed by  David Runge (dvzrv)
Monday, 29 March 2021, 17:41 GMT
Reason for closing:  Upstream
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/r eleng/-/issues/2 tracks the stronger checksum algorithms.
Use the archweb bug tracker for the other issues.
Comment by NicoHood (NicoHood) - Monday, 26 December 2016, 12:48 GMT
$ gpg --with-fingerprint archlinux-2016.12.01-dual.iso.sig
gpg: assuming signed data in 'archlinux-2016.12.01-dual.iso'
gpg: Signature made Thu 01 Dec 2016 05:54:07 PM CET
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC

The download page should possibly also link to the fingerprint on the keyserver and to an explanation of the warning:
https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
https://pierre-schmitz.com/trust-the-master-keys/
Comment by NicoHood (NicoHood) - Tuesday, 27 December 2016, 02:50 GMT
Also the site with the TU overview should show full fingerprints:
https://www.archlinux.org/people/trusted-users/

Explanation:
https://lkml.org/lkml/2016/8/15/445

If I am correct for example our master key from pierre has some duplicate entries with the same 32bit ending. In this case he owns both keys, but one is revoked:
https://sks-keyservers.net/pks/lookup?op=vindex&search=pierre+archlinux&fingerprint=on

Nevertheless it should be changed to the full fingerprint too. For the same reasons why we require the full fingerprint in makepkg.
Comment by Jelle van der Waa (jelly) - Tuesday, 27 December 2016, 13:32 GMT
The TU overview applies to developers too and is not a release engineering bug, but an archweb one.

Loading...