Gentoo Archives: gentoo-dev

From: "Robin H. Johnson" <robbat2@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] integrity of stage files
Date: Sat, 08 Oct 2011 22:44:33
Message-Id: robbat2-20111008T223252-434133119Z@orbis-terrarum.net
In Reply to: [gentoo-dev] integrity of stage files by "Paweł Hajdan
1 On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote:
2 > I checked
3 > <http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=5>
4 > and the Handbook only mentions validating MD5 checksums.
5 >
6 > There are two possible issues:
7 >
8 > 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we
9 > be using something stronger?
10 Fixed in Catalyst now.
11 http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe
12 So when the stagebuilders update their Catalyst, they will be generated
13 with newer hashes.
14
15 > 2. I noticed the checksums are signed (.asc files). With what key are
16 > they signed? How is that key handled, and how to ensure people use the
17 > right key when verifying the signature?
18 Documented here:
19 http://www.gentoo.org/proj/en/releng/
20
21 Relevant to this discussion:
22 The weekly builds are signed with:
23 key 2D182910 RSA 4096-bit, generated 2009/08/25
24 Gentoo Linux Release Engineering (Automated Weekly Release Key) <releng@g.o>
25
26 It's located in the pipeline that collects stages and isos for publication.
27
28 The non-weekly releases (eg 11.2) have a separate key
29 key 17072058, DSA 1024-bit, generated 2004/07/20
30 Gentoo Linux Release Engineering (Gentoo Linux Release Signing Key) <releng@g.o>
31
32 --
33 Robin Hugh Johnson
34 Gentoo Linux: Developer, Trustee & Infrastructure Lead
35 E-Mail : robbat2@g.o
36 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

Replies

Subject Author
Re: [gentoo-dev] integrity of stage files "Paweł Hajdan
Re: [gentoo-dev] integrity of stage files Matt Turner <mattst88@g.o>