Sven-Hendrik Haase <sh(a)lutzhaase.com> on Thu, 2013/01/31 13:34:
> On 31.01.2013 13:33, Christian Hesse wrote:
> > Sven-Hendrik Haase <sh(a)lutzhaase.com> on Thu, 2013/01/31 13:19:
> >> On 31.01.2013 13:02, Christian Hesse wrote:
> >>> Pierre Schmitz <pierre(a)archlinux.de> on Wed, 2013/01/30 19:12:
> >>>> I am going to build a new ISO image on Friday. I did a test build today
> >>>> and everything looks fine. It's just updated packages; no changes to
> >>>> ais nor archiso. Let me know if there are any known issues or blockers.
> >>> This is not about the ISO itself but its download...
> >>>
> >>> Torrent download files can contain more than just one file. How about
> >>> including gpg signature for the ISO file? Possibly this increases the
> >>> number of people actually checking the authenticity of downloaded files.
> >> Frankly, why? The torrent already guarantees you didn't get bad data.
> > Sure. But the gpg signature is not (only) about integrity but
> > authenticity.
> >
> > If you get a bad (not broken) torrent file you could download a bad ISO
> > image without noticing anybody is fooling you.
>
> Oh so you want to gpg the torrent file itself? Well, that could work, I
> guess.
No, I do not want to sign the torrent file. I want the ISO image and a gpg
signature for that inside the torrent file. Even if anybody fools you, signs
his own ISO with his own key and puts these into a torrent file you can easily
verify after download:
$ pacman-key -v archlinux-2013.01.04-dual.iso.sig
==> Checking archlinux-2013.01.04-dual.iso.sig ...
gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107
gpg: Can't check signature: No public key
==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig
could not be verified.
Output should look like this though, note this only happens if the key is in
pacman's keyring and trusted with the required level:
$ pacman-key -v archlinux-2013.01.04-dual.iso.sig
==> Checking archlinux-2013.01.04-dual.iso.sig ...
gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC
gpg: NOTE: trustdb not writable
gpg: Good signature from "Pierre Schmitz <pierre(a)archlinux.de>"
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];)
putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}