Colin Watson has proposed merging lp:~cjwatson/launchpad/sign-installer into
lp:launchpad.
Requested reviews:
Launchpad code reviewers (launchpad-reviewers)
Related bugs:
Bug #383044 in Launchpad itself: "No GPG signatures for nonstandard
installers"
https://bugs.launchpad.net/launchpad/+bug/383044
For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/sign-installer/+merge/85670
= Summary =
As reported in bug 383044, we should sign Ubuntu's files containing checksums
of installer images so that there's a reasonable trust path to download them.
== Proposed fix ==
Extend the existing ad-hoc
cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases
script. This is Ubuntu-specific.
== Pre-implementation notes ==
I discussed this approach with lifeless on the bug. He reckoned it was OK to
extend this script for now, although it would be better to do it for all
primary archives. I haven't attempted the latter yet as that path isn't used
for Ubuntu, and I'm not honestly sure whether derived distributions in
Launchpad are going to need this.
== Implementation details ==
None.
== Tests ==
This script is untestable right now, as far as I know; test_publish_ftpmaster
just tests that scripts in the publish-distro.d directory will get run.
== Demo and Q/A ==
Create /srv/launchpad.net/ubuntu-archive/gnupg-home with some kind of useful
GPG configuration on dogfood (mirroring production, I suppose, only with a
different key) so that we can sign things. Do a full publish-ftpmaster run on
dogfood and check that dists/p-series/main/installer-*/current/images/*SUMS get
correctly signed with dogfood's key.
== lint ==
None.
--
https://code.launchpad.net/~cjwatson/launchpad/sign-installer/+merge/85670
Your team Launchpad code reviewers is requested to review the proposed merge of
lp:~cjwatson/launchpad/sign-installer into lp:launchpad.
=== modified file 'cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases'
--- cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases 2011-08-08 06:05:38 +0000
+++ cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases 2011-12-14 14:36:25 +0000
@@ -14,8 +14,10 @@
RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release`
DIST_UPGRADER_TARBALLS=`
find $DISTSROOT/*/*/dist-upgrader* -name "*.tar.gz" || true`
+INSTALLER_CHECKSUMS=`
+ find $DISTSROOT/*/*/installer-* -name "*SUMS" || true`
-for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS
+for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $INSTALLER_CHECKSUMS
do
if [ ! -f "$CANDIDATE.gpg" ] || [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ]
then
_______________________________________________
Mailing list: https://launchpad.net/~launchpad-reviewers
Post to : [email protected]
Unsubscribe : https://launchpad.net/~launchpad-reviewers
More help : https://help.launchpad.net/ListHelp
