caiok commented on issue #419: Dockerfile: automatic the signature verification
   @jiazhai Are you sure that the public key used to sign the release packages 
vary from one version to another? I think that usually should not.
   Anyway, I'm not sure that there is a simpler way to achieve this. When you 
create the image with that key you are saying that you and developers who 
approved that image trust that key and even if an attacker succeed in providing 
you a fake package at build time this package won't pass the validation.
   If you for instance download that key somewhere (maybe at the same location 
that the packets) you substantially invalidate that precaution.
   Have you already had an implementation idea for this proposal?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services

Reply via email to