On Thu, Jan 31, 2013 at 7:03 AM, Christian Hesse <[email protected]> wrote: > Sven-Hendrik Haase <[email protected]> on Thu, 2013/01/31 13:34: >> On 31.01.2013 13:33, Christian Hesse wrote: >> > Sven-Hendrik Haase <[email protected]> on Thu, 2013/01/31 13:19: >> >> On 31.01.2013 13:02, Christian Hesse wrote: >> >>> Pierre Schmitz <[email protected]> on Wed, 2013/01/30 19:12: >> >>>> I am going to build a new ISO image on Friday. I did a test build today >> >>>> and everything looks fine. It's just updated packages; no changes to >> >>>> ais nor archiso. Let me know if there are any known issues or blockers. >> >>> This is not about the ISO itself but its download... >> >>> >> >>> Torrent download files can contain more than just one file. How about >> >>> including gpg signature for the ISO file? Possibly this increases the >> >>> number of people actually checking the authenticity of downloaded files. >> >> Frankly, why? The torrent already guarantees you didn't get bad data. >> > Sure. But the gpg signature is not (only) about integrity but >> > authenticity. >> > >> > If you get a bad (not broken) torrent file you could download a bad ISO >> > image without noticing anybody is fooling you. >> >> Oh so you want to gpg the torrent file itself? Well, that could work, I >> guess. > > No, I do not want to sign the torrent file. I want the ISO image and a gpg > signature for that inside the torrent file. Even if anybody fools you, signs > his own ISO with his own key and puts these into a torrent file you can easily > verify after download: > > $ pacman-key -v archlinux-2013.01.04-dual.iso.sig > ==> Checking archlinux-2013.01.04-dual.iso.sig ... > gpg: Signature made Thu 31 Jan 2013 01:56:51 PM CET using DSA key ID 2409C107 > gpg: Can't check signature: No public key > ==> ERROR: The signature identified by archlinux-2013.01.04-dual.iso.sig > could not be verified. > > Output should look like this though, note this only happens if the key is in > pacman's keyring and trusted with the required level: > > $ pacman-key -v archlinux-2013.01.04-dual.iso.sig > ==> Checking archlinux-2013.01.04-dual.iso.sig ... > gpg: Signature made Fri 04 Jan 2013 11:07:27 PM CET using RSA key ID 9741E8AC > gpg: NOTE: trustdb not writable > gpg: Good signature from "Pierre Schmitz <[email protected]>" > -- > main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" > "CX:;",b;for(a/* Chris get my mail address: */=0;b=c[a++];) > putchar(b-1/(/* gcc -o sig sig.c && ./sig */b/42*2-3)*42);}
For the paranoid, we do sign the ISO file itself and the PGP signature has always been available from our https://www.archlinux.org/download/ page. I don't see any reason to include it in the torrent. If you got a bad torrent file, I'm not sure where you got it from- we serve both the download page with magnet link over HTTPS and also the torrent file itself. -Dan
