[Mageia-dev] Proposed Feature: RepositorySignatures
boklm at mars-attacks.org
Tue Jun 5 17:10:52 CEST 2012
= Summary =
The packages in the repository are signed, but metadata are currently
not signed. This feature would add metadata signatures on the
repository, and create tools to check them.
= Detailed Description =
The packages on the repository are signed with PGP. However, the
repository metadata are not currently signed. This includes :
* the hdlists
* the list of media, and PGP key to use to check the packages
* installer files used for network installs
This feature can be implemented in different steps :
== Publish checksum of important files on the mirrors ==
This will be done by sysadmin team. The mageia build system will be
modified to generate a file containing sha1sum of important files
on the mirror :
* media.cfg file
* media_info/MD5SUM and media_info/pubkey files for each repository.
Those files contain the checksums of the hdlists files, and the public
key used to check the package signatures.
* timestamp file, containing the date of the last update of the mirror
* installer files
This file will be signed using Mageia PGP key.
== Mirror integrity check tool ==
A tool to check a mirror integrity will be created. It should be able
to check all the mirror content, or only some medias.
== Integration in MGA::Mirror ==
The mirror integrity check will be integrated in Mga::Mirror so that
incorrect or outdated mirrors are automatically removed from
== Integration in urpmi ==
Urpmi will be updated to check the metadata signatures when updating
== Integration in installer ==
The installer will be updated to check the signature of stage2
downloaded from the server.
More information about the Mageia-dev