Le Tuesday 8 February 2011 20:36:37 Thijs Kinkhorst, vous avez écrit :
> On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
> > a current flaw of the standalone version of win32-loader (source and
> > binary package in Debian) is that it downloads the d-i kernel and
> > initrds through Internet without any form of checking that those are
> > authenticated binaries from the Debian project (see #442180 for
> > details).
> >
> > In order to solve this, the Windows executable needs to check the
> > signature on the downloaded Release{,.gpg} file and then check the
> > md5sums of various files. The md5sum checksum verification is already
> > implemented (although not uploaded yet) with a md5sum implementation
> > internal to NSIS. There are still missing pieces on FTP-Master side (see
> > #611087, which will get solved in their upcoming meeting, I heard), but
> > I would also need a gpgv.exe that could run on the target Windows host,
> > to check the downloaded Release{,.gpg} files.
>
> I'm not aversive to this plan but I do not completely understand it. You
> need gpgv.exe on the Windows platform, but you cannot install debs there,
> right? So what would the role of this deb be exactly?Hi Thijs, thanks for your rapid answer. This new binary package would serve the same purpose (and is designed likewise) as cpio-win32 or gzip-win32: they are Build-Depends of win32-loader. During the win32-loader build, they get "embedded" in the win32-loader.exe Windows executable. When launched, this executable collects some informations from the running Windows host and then uses cpio.exe and gzip.exe to repack a new initrd with embedded preseeding. (The executables are embedded in the win32-loader.exe using the File /oname=$INSTDIR\cpio.exe /usr/share/win32/cpio.exe File /oname=$INSTDIR\gzip.exe /usr/share/win32/gzip.exe commands (in s_install.nsi in current win32-loader git). First argument being the path in Windows, second being the (build-)source of said executables.) Hence I would like to bundle gpgv.exe similarly, in order to unpack it in the C:\win32-loader path ($INSTDIR above), to be able to check Release file signatures, on the Windows host. Is that clearer ? I can develop furthermore if needed. > Also I cannot test it. Would you assume responsibility for dealing with > potential bug reports for this? If your Debian can run wine, gpgv.exe runs correctly under wine (although with glitches around path handling in the --keyring option; which are workaround'able). But yes, I can handle this, and I'll make sure to be subscribed to gnupg's bugreports if my patch gets accepted. Cheers, OdyX -- Didier Raboud, proud Debian Developer. CH-1020 Renens [email protected]
signature.asc
Description: This is a digitally signed message part.
