fwiw, this is a regression over the use of 'cobbler-ubuntu-import', which does do gpg checking against /usr/share/keyrings/ubuntu-archive- keyring.gpg [1]. That was added under bug 974460.
Outside of the race condition, which I'm willing to ignore for the time being, we can just use the same solution there. Note also that a "InRelease" (signed content in same file as payload) does not fix this entirely either, as there is still the race between downloading the ISO and the the signed file. -- [1] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cobbler/quantal/view/head:/debian/cobbler-ubuntu-import#L86 -- You received this bug notification because you are a member of MAAS Maintainers, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1039513 Title: maas-import-pxe-files should cryptographically verify what it downloads Status in MAAS: New Bug description: Currently, maas-import-pxe-files uses HTTP to download its files, including pxelinux.0 and netboot kernel image and initrd. In theory, somebody could intercept this and inject a malicious payload. maas-import-ephemerals avoids this by using HTTPS, but: 1) This prevents (easy) caching 2) archive.ubuntu.com doesn't appear to support HTTPS 3) The files we need are indirectly signed, so if we just try to verify what is there we'll end up with the same race condition that apt faces in bug 972077 To manage notifications about this bug go to: https://bugs.launchpad.net/maas/+bug/1039513/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~launchpad-reviewers Post to : [email protected] Unsubscribe : https://launchpad.net/~launchpad-reviewers More help : https://help.launchpad.net/ListHelp

