Andrew Pollock wrote: > Next, you want to validate everything referenced by the config in > pxelinux.cfg/ > There's already an MD5SUMS file on the Debian mirror, e.g. > /debian/dists/lenny/main/installer-i386/current/images/MD5SUMS to help with > this, but it's not signed. What would it take to GPG sign this? The only ones in a position to sign that are the ftpmasters. > But could d-i itself also verify the integrity of the > preseed file once it was retrieved, if it also retrieved a detached > signature? I'm guessing you'd have to pass an argument to d-i to say what > key to expect the preseed to be signed by? d-i does have gpgv available at the right point in time to be able to do that, but you would have to somehow provide it with the full gpg key, not just a key id. > Anyone else got any thoughts on how to improve the non-repudiation of a > netbooted d-i install? Even if you verify the pxelinux.0, all the config files, the kernel and ramdisk, and your preseed file, what of over-the-wire spoofing of TFTP? Booting from a remastered CD with your preseed file included on it is the only way that is 100% verifiable ATM. (Though actually, the CD build process may not cryptographically validate the d-i images it adds to the CDs. That and being able to get verifiable files for a USB stick are more good arguments for signing the abovementioned MD5SUMS.) -- see shy jo
Attachment:
signature.asc
Description: Digital signature