[arch-releng] February release

Dan McGee dpmcgee at gmail.com
Thu Jan 31 09:26:46 EST 2013 

On Thu, Jan 31, 2013 at 7:03 AM, Christian Hesse <list at eworm.de> wrote:
> Sven-Hendrik Haase <sh at lutzhaase.com> on Thu, 2013/01/31 13:34:
>> On 31.01.2013 13:33, Christian Hesse wrote:
>> > Sven-Hendrik Haase <sh at lutzhaase.com> on Thu, 2013/01/31 13:19:
>> >> On 31.01.2013 13:02, Christian Hesse wrote:
>> >>> Pierre Schmitz <pierre at archlinux.de> on Wed, 2013/01/30 19:12:
>> >>>> I am going to build a new ISO image on Friday. I did a test build today
>> >>>> and everything looks fine. It's just updated packages; no changes to
>> >>>> ais nor archiso. Let me know if there are any known issues or blockers.
>> >>> This is not about the ISO itself but its download...
>> >>>
>> >>> Torrent download files can contain more than just one file. How about
>> >>> including gpg signature for the ISO file? Possibly this increases the
>> >>> number of people actually checking the authenticity of downloaded files.
>> >> Frankly, why? The torrent already guarantees you didn't get bad data.
>> > Sure. But the gpg signature is not (only) about integrity but
>> > authenticity.
>> >
>> > If you get a bad (not broken) torrent file you could download a bad ISO
>> > image without noticing anybody is fooling you.
>>
>> Oh so you want to gpg the torrent file itself? Well, that could work, I
>> guess.
>
> No, I do not want to sign the torrent file. I want the ISO image and a gpg
> signature for that inside the torrent file. Even if anybody fools you, signs
> his own ISO with his own key and puts these into a torrent file you can easily
> verify after download:
>
> $ pacman-key -v archlinux-2013.01.04-dual.iso.sig
> ==> Checking archlinux-2013.01.04-dual.iso.sig ...
> gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107
> gpg: Can't check signature: No public key
> ==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig
> could not be verified.
>
> Output should look like this though, note this only happens if the key is in
> pacman's keyring and trusted with the required level:
>
> $ pacman-key -v archlinux-2013.01.04-dual.iso.sig
> ==> Checking archlinux-2013.01.04-dual.iso.sig ...
> gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC
> gpg: NOTE: trustdb not writable
> gpg: Good signature from "Pierre Schmitz <pierre at archlinux.de>"
> --
> main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
> "CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
> putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}

For the paranoid, we do sign the ISO file itself and the PGP signature
has always been available from our https://www.archlinux.org/download/
page. I don't see any reason to include it in the torrent.

If you got a bad torrent file, I'm not sure where you got it from- we
serve both the download page with magnet link over HTTPS and also the
torrent file itself.

-Dan

More information about the arch-releng mailing list