Hi,
* Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
today I've taken a look at a daily image for grml.org and found no way to verify that the image I'm downloading actually is from your build machines.
http://grml.org/daily/ leads me to something like http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
where there are no OpenPGP signatures available. and the https variant or the url does not show the files.
This is a problem because a downloader like can be attacked by serving a different iso file and the corresponding checksums. To prevent this attack you could a) also use https on the daily.grml.org server b) Use a new OpenPGP build-key without password, publish the pubkey on the https mainsite and use the key in the automatic building process to generate the detached signatures.
Good idea, I'll add this to our todo list. Thanks!
regards, -mika-