Hi there! We used to download CentOS (Stream) cloud images from https://cloud.centos.org/centos/8-stream/x86_64/images/ and https://cloud.centos.org/centos/7/images/. They used to be pgp-signed but not any more. 8-stream was ok until about a week ago; 7 has been unsigned for a longer time.
Without pgp signatures, there is no assurance at all that the images somebody downloads are actually the original images as prepared by you, without being tampered with.
There used to be a file https://cloud.centos.org/centos/8-stream/x86_64/images/CHECKSUM.asc that was signed with PGP and contained SHA* sums of the images. This file no longer exists and I don't see a replacement. There are files that contain a single hash per image, but these are not helpful because they are not signed.
Can you please start pgp-signing your images again?
This also holds true for CentOS 9-stram images https://cloud.centos.org/centos/9-stream/x86_64/images/ which we never downloaded because they have never been pgp-signed (or at least they never were when I looked).
Can you also please make sure that signing images doesn't get casually forgotten. This is not the first time that signing somehow stopped; I reported a similar issue earlier in https://pagure.io/centos-infra/issue/185 .
Note: the issue with https://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2 is that its sha256sum of 284aab2b23d91318f169ff464bce4d53404a15a0618ceb34562838c59af4adea is not present in https://cloud.centos.org/centos/7/images/sha256sum.txt.asc . Neither by file name, nor value. If that URL were the same as one of the other images on that page, the hash would be present for another file name; as-is, I can only conclude the file is not genuine.
Per wiki instructions (see https://wiki.centos.org/ReportBugs) everything related to CentOS Stream artifacts (tree, iso images and or cloud images) should be filed on Bugzilla.
FWIW, there is already a ticket that was assigned to the Stream team (not infra one) so you can track for status here : https://issues.redhat.com/browse/CS-1564
Metadata Update from @arrfab: - Issue close_status updated to: Duplicate - Issue status updated to: Closed (was: Open)
Thanks for the referral. I was posting here because the previous time I was sent here for this sort of issues.
Hi Olaf, thanks for reaching out. The current proper place to report issues with the CentOS infrastructure is here: https://pagure.io/centos-infra/issues I found a similar issue in the tracker: https://pagure.io/centos-infra/issue/178 Tomas
well, we (centos infra) provides the infra , yes .. but we don't manage the content that other team (in this case CentOS Stream) is pushing. I know there was already question about this so I pointed you where you can track (it's linked to a BZ report too but seems now private).
Login to comment on this ticket.