#3761 add gpg signature for .treeinfo file and/or add CHECKSUM file for unsigned content of images
Closed: Fixed None Opened 12 years ago by jkeating.

Description of problem:
Currently the only way to verify the contents of .treeinfo or the installer
images is to download the .iso and the regarding -CHECKSUM file and check it.
But e.g. preupgrade does not download the .iso but the *.img files, the kernel
and the .treeinfo directly from a mirror. Therefore it is also not possible to
easily verify these files. I guess the preupgrade way of updating is somehow
popular, therefore it should be possible to do this securely.

I filed a bug against preupgrade for not verifying anything and not announcing
this here: bug 509338

this was fixed in f20

Metadata Update from @jkeating:
- Issue tagged with: meeting

5 years ago

Login to comment on this ticket.