Contents
Summary
The packages in the repository are signed, but metadata are currently not signed. This feature would add metadata signatures on the repository, and create tools to check them.
Owner
- Name : Nicolas Vigier
- Email : boklm@mars-attacks.org
Resources
- boklm
Current status
- Targeted release: Mageia 4 (cancelled for Mageia 3)
- Last updated: 2025/05/05
- Percentage of completion: 0%
Detailed Description
The packages on the repository are signed with PGP. However, the repository metadata are not currently signed. This includes :
- the hdlists
- the list of media, and PGP key to use to check the packages
- installer files used for network installs
This feature can be implemented in different steps :
Publish checksum of important files on the mirrors
This will be done by sysadmin team. The mageia build system will be modified to generate a file containing sha1sum of important files on the mirror :
- media.cfg file
- media_info/MD5SUM and media_info/pubkey files for each repository. Those files contain the checksums of the hdlists files, and the public key used to check the package signatures.
- timestamp file, containing the date of the last update of the mirror
- installer files
This file will be signed using Mageia PGP key.
Mirror integrity check tool
A tool to check a mirror integrity will be created. It should be able to check all the mirror content, or only some medias.
Integration in MGA::Mirror
The mirror integrity check will be integrated in Mga::Mirror so that incorrect or outdated mirrors are automatically removed from mirrorslist.
Integration in urpmi
Urpmi will be updated to check the metadata signatures when updating medias.
Integration in installer
The installer will be updated to check the signature of stage2 downloaded from the server.
Why it would be good for Mageia to include it
It would improve security by making sure the mirrors are reliable and unmodified. It would also remove the problems of outdated mirrors in mirrorslist.
Test case
Software / Packages Dependencies
- mga-mirrors
- urpmi
- installer
What could disrupt development of this new feature
Planning
- 2012/08 : define list of checksum and signatures, and publish them on mirrors
- 2012/09 : create mirror integrity check tool
- 2012/10 : integration in MGA::Mirrors
- 2012/12 : integration in urpmi and installer
Contingency
Signature checks will be available as an option. If it is known to cause problems or not fully ready, it can be disabled by default for Mageia 3.