= Summary = The packages in the repository are signed, but metadata are currently not signed. This feature would add metadata signatures on the repository, and create tools to check them.
= Detailed Description = The packages on the repository are signed with PGP. However, the repository metadata are not currently signed. This includes : * the hdlists * the list of media, and PGP key to use to check the packages * installer files used for network installs This feature can be implemented in different steps : == Publish checksum of important files on the mirrors == This will be done by sysadmin team. The mageia build system will be modified to generate a file containing sha1sum of important files on the mirror : * media.cfg file * media_info/MD5SUM and media_info/pubkey files for each repository. Those files contain the checksums of the hdlists files, and the public key used to check the package signatures. * timestamp file, containing the date of the last update of the mirror * installer files This file will be signed using Mageia PGP key. == Mirror integrity check tool == A tool to check a mirror integrity will be created. It should be able to check all the mirror content, or only some medias. == Integration in MGA::Mirror == The mirror integrity check will be integrated in Mga::Mirror so that incorrect or outdated mirrors are automatically removed from mirrorslist. == Integration in urpmi == Urpmi will be updated to check the metadata signatures when updating medias. == Integration in installer == The installer will be updated to check the signature of stage2 downloaded from the server. https://wiki.mageia.org/en/Feature:RepositorySignatures
