Hi all,
I have downloaded xcat-core and xcat-dep tar balls and i am trying to
find a way to authenticate them prior using them.
First, the downloads are being done over http so they can be manipulated
by whoever has access to my traffic. I was unsuccessful with trying to
use https download links. There is always the possibility i might be
getting a slightly different (compromised) tar ball.
I've found a gpg key located in repodata (repomd.xml.key) in both tar
balls.
The key i've got has the following ID and fingerprint:
gpg --fingerprint C6565BC9
pub 1024D/C6565BC9 2015-01-07
Key fingerprint = F75B 1BF6 78B6 44FD F3AA CFC8 60A3 E9AC C656 5BC9
uid xCAT Security Key <[email protected]>
It can also validate the repomd.xml signature and rpm -K on files do
report the same key id to be missing:
rpm -K xCAT-server-2.9.1-snap201503190325.noarch.rpm
xCAT-server-2.9.1-snap201503190325.noarch.rpm: (SHA1) DSA sha1 md5 (GPG)
NOT OK (MISSING KEYS: GPG#c6565bc9)
Good news, once i know i've got the right key, i should be able to
proceed with installing the rpms.
Does everyone here is also getting key ID C6565BC9 with the tar balls?
Could xCAT security key be published on the web site, preferably on a
page that can be accessed over https to increase the level of confidence
our downloads are not being tampered with?
I already published the key i've got to Fedora's public key server here
so others can compare:
https://keys.fedoraproject.org/pks/lookup?search=0xC6565BC9&op=vindex
regards
Marc-andre
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
xCAT-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/xcat-user
