Release Engineering

This project is intented for all release related issues (isos, installer, etc), under the umbrella of the ArchLinux Release Engineers
Tasklist

FS#52273 - [archiso] Stronger Hashes and GPG Fingerprint

Attached to Project: Release Engineering
Opened by NicoHood (NicoHood) - Monday, 26 December 2016, 12:35 GMT
Last edited by Gerardo Exequiel Pozzi (djgera) - Monday, 26 December 2016, 22:25 GMT
Task Type Feature Request
Category ArchISO
Status Assigned
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 4
Private No

Details

As mentioned in the mailing list the download page misses sha256 and sha512 message digests.
The GPG signature is included on the website but the used (full) fingerprint of the person who signed the ISO + his name/email should be visible on the website.
Please add those so people can check the integrity of their ArchLinux Download securely.
This task depends upon

Comment by NicoHood (NicoHood) - Monday, 26 December 2016, 12:48 GMT
$ gpg --with-fingerprint archlinux-2016.12.01-dual.iso.sig
gpg: assuming signed data in 'archlinux-2016.12.01-dual.iso'
gpg: Signature made Thu 01 Dec 2016 05:54:07 PM CET
gpg: using RSA key 4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
gpg: Good signature from "Pierre Schmitz <pierre@archlinux.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 4AA4 767B BC9C 4B1D 18AE 28B7 7F2D 434B 9741 E8AC

The download page should possibly also link to the fingerprint on the keyserver and to an explanation of the warning:
https://pgp.mit.edu/pks/lookup?op=vindex&fingerprint=on&exact=on&search=0x4AA4767BBC9C4B1D18AE28B77F2D434B9741E8AC
https://pierre-schmitz.com/trust-the-master-keys/
Comment by NicoHood (NicoHood) - Tuesday, 27 December 2016, 02:50 GMT
Also the site with the TU overview should show full fingerprints:
https://www.archlinux.org/people/trusted-users/

Explanation:
https://lkml.org/lkml/2016/8/15/445

If I am correct for example our master key from pierre has some duplicate entries with the same 32bit ending. In this case he owns both keys, but one is revoked:
https://sks-keyservers.net/pks/lookup?op=vindex&search=pierre+archlinux&fingerprint=on

Nevertheless it should be changed to the full fingerprint too. For the same reasons why we require the full fingerprint in makepkg.
Comment by Jelle van der Waa (jelly) - Tuesday, 27 December 2016, 13:32 GMT
The TU overview applies to developers too and is not a release engineering bug, but an archweb one.

Loading...