Re: Debian testing ISOs not GPG signed?
On Sun, Mar 09, 2014 at 06:03:01PM +0100, Mattias Wadenstein wrote:
>On Sun, 9 Mar 2014, Steve McIntyre wrote:
>>On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote:
>>>I just wanted to reinstall my system on new hardware so I downloaded the current
>>>Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/)
>>>build. After downloading it, I wanted to verify the integrity of the ISO (as I
>>>was used to from the stable builds). But I did not find a signed checksum file.
>>>Are testing builds not signed?? Is there another way to check the integrity of
>>>the testing ISOs?
>>We (I) don't sign any of the non-release builds on cdimage, no. Only
>>official stable and beta releases are signed, meaning that they've
>>undergone some manual verification and testing. It's a deliberate
>>policy not to sign the testing images, so as to avoid keeping PGP key
>>material on a remote server.
>It might be worth doing automatic signatures by a clearly labeled
>automatic signing key, just to reducing the risk of someone
>installing from a maliciously altered image. I do agree that the
>proper release signing is not doable for testing images though.
Fair point, yes. I've just added a new testing CDs key for automatic
pub 4096R/09EA8AC3 2014-04-15
Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3
uid Debian Testing CDs Automatic Signing Key <firstname.lastname@example.org>
sub 4096R/6BD05CFB 2014-04-15
and some extra code into the build scripts to use this key for the
daily and weekly testing CD builds. Starting from the next daily build
tonight, this should happen automatically now.
Steve McIntyre, Cambridge, UK. email@example.com
Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/