FS#52273 : [archiso] Stronger Hashes and GPG Fingerprint

FS#52273 - [archiso] Stronger Hashes and GPG Fingerprint

Attached to Project: Release Engineering
Opened by NicoHood (NicoHood) - Monday, 26 December 2016, 12:35 GMT
Last edited by David Runge (dvzrv) - Monday, 29 March 2021, 17:41 GMT

Task Type	Feature Request
Category	ArchISO
Status	Closed
Assigned To	Pierre Schmitz (Pierre)
Architecture	All
Severity	Medium
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	5 Alexander Epaneshnikov (erik_pro) (2019-02-12) Pascal Ernster (hardfalcon) (2017-06-02) brahim (braahim) (2017-04-11) Kieran Colford (kieranc) (2017-01-16) Diego Viola (diegoviola) (2016-12-29)
Private	No

Details

As mentioned in the mailing list the download page misses sha256 and sha512 message digests.
The GPG signature is included on the website but the used (full) fingerprint of the person who signed the ISO + his name/email should be visible on the website.
Please add those so people can check the integrity of their ArchLinux Download securely.

This task depends upon

Closed by David Runge (dvzrv)
Monday, 29 March 2021, 17:41 GMT
Reason for closing: Upstream
Additional comments about closing: https://gitlab.archlinux.org/archlinux/r eleng/-/issues/2 tracks the stronger checksum algorithms.
Use the archweb bug tracker for the other issues.

Comment by NicoHood (NicoHood) - Monday, 26 December 2016, 12:48 GMT

$ gpg --with-fingerprint archlinux-2016.12.01-dual.iso.sig
gpg: assuming signed data in 'archlinux-2016.12.01-dual.iso'
gpg: Signature made Thu 01 Dec 2016 05:54:07 PM CET
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC

The download page should possibly also link to the fingerprint on the keyserver and to an explanation of the warning:
https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
https://pierre-schmitz.com/trust-the-master-keys/

Comment by NicoHood (NicoHood) - Tuesday, 27 December 2016, 02:50 GMT

Also the site with the TU overview should show full fingerprints:
https://www.archlinux.org/people/trusted-users/

Explanation:
https://lkml.org/lkml/2016/8/15/445

If I am correct for example our master key from pierre has some duplicate entries with the same 32bit ending. In this case he owns both keys, but one is revoked:
https://sks-keyservers.net/pks/lookup?op=vindex&search=pierre+archlinux&fingerprint=on

Nevertheless it should be changed to the full fingerprint too. For the same reasons why we require the full fingerprint in makepkg.

Comment by Jelle van der Waa (jelly) - Tuesday, 27 December 2016, 13:32 GMT

The TU overview applies to developers too and is not a release engineering bug, but an archweb one.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#52273 - [archiso] Stronger Hashes and GPG Fingerprint

Details

Loading...