[Mageia-dev] Proposed Feature: RepositorySignatures

nicolas vigier boklm at mars-attacks.org
Tue Jun 5 17:10:52 CEST 2012

= Summary =

The packages in the repository are signed, but metadata are currently
not signed. This feature would add metadata signatures on the
repository, and create tools to check them.

= Detailed Description =

The packages on the repository are signed with PGP. However, the
repository metadata are not currently signed. This includes :
* the hdlists
* the list of media, and PGP key to use to check the packages
* installer files used for network installs

This feature can be implemented in different steps :

== Publish checksum of important files on the mirrors ==

This will be done by sysadmin team. The mageia build system will be
modified to generate a file containing sha1sum of important files
on the mirror :
* media.cfg file
* media_info/MD5SUM and media_info/pubkey files for each repository.
  Those files contain the checksums of the hdlists files, and the public
  key used to check the package signatures.
* timestamp file, containing the date of the last update of the mirror
* installer files
This file will be signed using Mageia PGP key.

== Mirror integrity check tool ==

A tool to check a mirror integrity will be created. It should be able
to check all the mirror content, or only some medias.

== Integration in MGA::Mirror ==

The mirror integrity check will be integrated in Mga::Mirror so that
incorrect or outdated mirrors are automatically removed from

== Integration in urpmi ==

Urpmi will be updated to check the metadata signatures when updating

== Integration in installer ==

The installer will be updated to check the signature of stage2
downloaded from the server.


More information about the Mageia-dev mailing list