[arch-releng] February release

Christian Hesse list at eworm.de
Thu Jan 31 08:03:38 EST 2013 

Sven-Hendrik Haase <sh at lutzhaase.com> on Thu, 2013/01/31 13:34:
> On 31.01.2013 13:33, Christian Hesse wrote:
> > Sven-Hendrik Haase <sh at lutzhaase.com> on Thu, 2013/01/31 13:19:
> >> On 31.01.2013 13:02, Christian Hesse wrote:
> >>> Pierre Schmitz <pierre at archlinux.de> on Wed, 2013/01/30 19:12:
> >>>> I am going to build a new ISO image on Friday. I did a test build today
> >>>> and everything looks fine. It's just updated packages; no changes to
> >>>> ais nor archiso. Let me know if there are any known issues or blockers.
> >>> This is not about the ISO itself but its download...
> >>>
> >>> Torrent download files can contain more than just one file. How about
> >>> including gpg signature for the ISO file? Possibly this increases the
> >>> number of people actually checking the authenticity of downloaded files.
> >> Frankly, why? The torrent already guarantees you didn't get bad data.
> > Sure. But the gpg signature is not (only) about integrity but
> > authenticity.
> >
> > If you get a bad (not broken) torrent file you could download a bad ISO
> > image without noticing anybody is fooling you.
> 
> Oh so you want to gpg the torrent file itself? Well, that could work, I
> guess.

No, I do not want to sign the torrent file. I want the ISO image and a gpg
signature for that inside the torrent file. Even if anybody fools you, signs
his own ISO with his own key and puts these into a torrent file you can easily
verify after download:

$ pacman-key -v archlinux-2013.01.04-dual.iso.sig
==> Checking archlinux-2013.01.04-dual.iso.sig ...
gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107
gpg: Can't check signature: No public key
==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig
could not be verified.

Output should look like this though, note this only happens if the key is in
pacman's keyring and trusted with the required level:

$ pacman-key -v archlinux-2013.01.04-dual.iso.sig
==> Checking archlinux-2013.01.04-dual.iso.sig ...
gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC
gpg: NOTE: trustdb not writable
gpg: Good signature from "Pierre Schmitz <pierre at archlinux.de>"
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/arch-releng/attachments/20130131/6f170833/attachment.asc>

More information about the arch-releng mailing list