rawhide signing and other such things
Panu Matilainen
pmatilai at welho.com
Tue Oct 26 06:52:26 UTC 2004
On Tue, 26 Oct 2004, seth vidal wrote:
> I've been reading the thread of complaints about rawhide being unsigned.
>
> The problem is, of course, a feasibility of getting the pkgs signed in a
> semi-secure format.
>
> What if we did the following:
>
> we added functions to anything that reads repomd.xml to check for a gpg
> signature in a detached file.
>
> Then we could verify that the repomd.xml file is the original one.
>
> That lets us know that the sha1 or md5 checksums in the repomd.xml file
> pointing to the primary, filelists, other and groups metadata are valid.
>
> if the metadata.xml files match the checksum from the signed and
> verified repomd.xml then we know those files are valid.
>
> Now Each package entry contains a package id in the metadata.
>
> that id is either and md5sum or a sha1sum of the package file itself.
>
> So now, if we download that file and the md5sum or sha1sum matches what
> is in the metadata xml files then we know it is valid too.
>
> This at least gets us to a point where we can reasonably trust the
> packages from the repository based on a single signature for the
> repomd.xml file.
>
>
> What do y'all think? Would that be workable?
That's basically how apt's "authenticated repositories" work.
- Panu -
More information about the fedora-devel-list
mailing list