From Mageia wiki
Jump to: navigation, search

Summary

The packages in the repository are signed, but metadata are currently not signed. This feature would add metadata signatures on the repository, and create tools to check them.

Owner

  • Name : Nicolas Vigier
  • Email : boklm@mars-attacks.org

Resources

  • boklm

Current status

  • Targeted release: Mageia 4 (cancelled for Mageia 3)
  • Last updated: 2021/07/25
  • Percentage of completion: 0%

Detailed Description

The packages on the repository are signed with PGP. However, the repository metadata are not currently signed. This includes :

  • the hdlists
  • the list of media, and PGP key to use to check the packages
  • installer files used for network installs

This feature can be implemented in different steps :

Publish checksum of important files on the mirrors

This will be done by sysadmin team. The mageia build system will be modified to generate a file containing sha1sum of important files on the mirror :

  • media.cfg file
  • media_info/MD5SUM and media_info/pubkey files for each repository. Those files contain the checksums of the hdlists files, and the public key used to check the package signatures.
  • timestamp file, containing the date of the last update of the mirror
  • installer files

This file will be signed using Mageia PGP key.

Mirror integrity check tool

A tool to check a mirror integrity will be created. It should be able to check all the mirror content, or only some medias.

Integration in MGA::Mirror

The mirror integrity check will be integrated in Mga::Mirror so that incorrect or outdated mirrors are automatically removed from mirrorslist.

Integration in urpmi

Urpmi will be updated to check the metadata signatures when updating medias.

Integration in installer

The installer will be updated to check the signature of stage2 downloaded from the server.

Why it would be good for Mageia to include it

It would improve security by making sure the mirrors are reliable and unmodified. It would also remove the problems of outdated mirrors in mirrorslist.

Test case

Software / Packages Dependencies

  • mga-mirrors
  • urpmi
  • installer

What could disrupt development of this new feature

Planning

  • 2012/08 : define list of checksum and signatures, and publish them on mirrors
  • 2012/09 : create mirror integrity check tool
  • 2012/10 : integration in MGA::Mirrors
  • 2012/12 : integration in urpmi and installer

Contingency

Signature checks will be available as an option. If it is known to cause problems or not fully ready, it can be disabled by default for Mageia 3.

Release Notes

Documentation