Issue #1777 has been updated by James Turnbull. Assigned to changed from James Turnbull to Luke Kanies
Luke - can you now do (might also be worth getting anyone else whom we know and trust with keys to sign Teyo, others, etc). <pre> 1. Import this key into your personal gpg keyring. Also note that you must already have a personal GPG key on this system! $ gpg --import release_key/reductivelabs_releasekey.gpg.asc gpg: key <keyID>: public key "Reductive Labs Release Key <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) 2. Sign this key with your personal gpg key, $ gpg --sign-key [email protected] pub 4096R/<keyID> created: 2008-12-09 expires: 2010-12-09 usage: SC trust: unknown validity: unknown [ unknown] (1). Reductive Labs Release Key <[email protected]> pub 4096R/<keyID> created: 2008-12-09 expires: 2010-12-09 usage: SC trust: unknown validity: unknown Primary key fingerprint: 160A AE84 83D7 BC63 0BE6 49D2 B3E7 3CDF <key> <ID> Reductive Labs Release Key <[email protected]> This key is due to expire on 2010-12-09. Are you sure that you want to sign this key with your key "Luke <[email protected]>" (<keyID>) Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "Luke <[email protected]>" 1024-bit DSA key, ID <keyID>, created 2000-05-07 gpg: gpg-agent is not available in this session 3. Send this key to the keyservers, this will send the public key and your signature to the public keyservers $ gpg --keyserver pool.sks-keyservers.net --send-key <keyid> </pre> I've added verification instructions to the wiki on the DownloadingPuppet page. ---------------------------------------- Feature #1777: Please provide cryptographically authenticated package downloads http://projects.reductivelabs.com/issues/1777 Author: micah - Status: Accepted Priority: High Assigned to: Luke Kanies Category: plumbing Target version: 0.25.2 Affected version: 0.24.6 Keywords: Branch: The "DownloadingPuppet":http://reductivelabs.com/trac/puppet/wiki/DownloadingPuppet page provides the release tarballs for puppet. These should be accompanied by a cryptographic authentication mechanism for verifying the source integrity. Preferably by providing detached OpenPGP signatures of the release tarball (like the linux kernel "provides":http://kernel.org/signature.html), or by providing a cryptographic hash verification. Without this, there is no way to ensure that any given tarball, or file on this page, is a legitimate uncompromised copy of the source that the puppet project is releasing. All it takes is for someone to compromise a development host, and upload a modified tarball release to effectively compromise a very large segment of managed infrastructure that depends on puppet. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
