On 25/07/2019 00:00, Thomas Goirand wrote:
> On the secret files found here:
> http://cloud.debian.org/cdimage/cloud/
>
> there's a json file attached. Unfortunately, there's no SHA512, and of
> course, no GPG signature of this file, so it's impossible check the validity
> of the images. Please at least add a SHA512, then we can see later how we
> can sign the json file.
What do we need in order to actually make this happen? I presume this
needs a code change in
https://salsa.debian.org/cloud-team/debian-cloud-images? If so, I'd like
to take that on.
Clearly it makes sense to include the checksum(s) in the build.json
file, but:
- Which checksums should we include? Our Apt repos use MD5 and SHA-256,
and our ISOs use MD5, SHA-1, SHA-256 and SHA-512. I'd be inclined to
suggest SHA-256 and SHA-512 only, personally.
- I know the manifests are inspired by Kubernetes, but the checksums
don't feel like they have a natural place in the current data structure.
I can see three options:
1. Add labels of the form "checksum.cloud.debian.org/${ALGO}" under
metadata.labels, for example "checksum.cloud.debian.org/sha256".
2. Add keys under data.info of the form "${ALGO}sum", for example
"sha256sum".
3. Add a new mapping within the "data" mapping called "checksums" with
keys for each algorithm, e.g. "data.checksums.sha256".
In each case I expect the values to be hex strings, effectively the same
as the first column of the output from sha1sum, sha256sum, sha512sum,
etc... from coreutils.
- Should we also generate the relevant SHA1SUM / SHA256SUM / SHA512SUM /
etc... files as might be consumed by the coreutils tools?
- Should we GPG-sign the manifests, logs, and/or checksum files? How
might we go about this?
Cheers,
Chris
--
Chris Boot
bootc@debian.org
Attachment:
signature.asc
Description: OpenPGP digital signature