How to verify daily snapshot downloads
Hello,
today I've taken a look at a daily image for grml.org and found no way to verify that the image I'm downloading actually is from your build machines.
http://grml.org/daily/ leads me to something like http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
where there are no OpenPGP signatures available. and the https variant or the url does not show the files.
This is a problem because a downloader like can be attacked by serving a different iso file and the corresponding checksums. To prevent this attack you could a) also use https on the daily.grml.org server b) Use a new OpenPGP build-key without password, publish the pubkey on the https mainsite and use the key in the automatic building process to generate the detached signatures.
Best Regards, Bernhard ps.: if you have a flattr account, I would have flattred you. :) Thanks for grml.
Hi,
* Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
today I've taken a look at a daily image for grml.org and found no way to verify that the image I'm downloading actually is from your build machines.
http://grml.org/daily/ leads me to something like http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
where there are no OpenPGP signatures available. and the https variant or the url does not show the files.
This is a problem because a downloader like can be attacked by serving a different iso file and the corresponding checksums. To prevent this attack you could a) also use https on the daily.grml.org server b) Use a new OpenPGP build-key without password, publish the pubkey on the https mainsite and use the key in the automatic building process to generate the detached signatures.
Good idea, I'll add this to our todo list. Thanks!
regards, -mika-
* Michael Prokop [Wed Apr 19, 2017 at 03:32:17PM +0200]:
- Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
today I've taken a look at a daily image for grml.org and found no way to verify that the image I'm downloading actually is from your build machines.
http://grml.org/daily/ leads me to something like http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/
where there are no OpenPGP signatures available. and the https variant or the url does not show the files.
This is a problem because a downloader like can be attacked by serving a different iso file and the corresponding checksums. To prevent this attack you could a) also use https on the daily.grml.org server b) Use a new OpenPGP build-key without password, publish the pubkey on the https mainsite and use the key in the automatic building process to generate the detached signatures.
Good idea, I'll add this to our todo list.
And https for daily.grml.org is already available, thanks to Alexander 'formorer' Wirt.
regards, -mika-
participants (2)
-
Bernhard Reiter -
Michael Prokop