On Fri, Oct 01, 2021 at 09:52:20AM +0100, Daniel P. Berrangé wrote: > On Fri, Oct 01, 2021 at 08:11:35AM +0100, Stefan Hajnoczi wrote: > > We need to keep the security of QEMU releases in mind. Mike Roth > > signs and publishes releases. Whoever facilitates or hosts the files > > should not be able to modify the files after Mike has blessed them. One > > way to do this is to keep hosting the .sig files on download.qemu.org > > and to redirect the actual tarballs to a file hosting provider. A way to > > securely publish files without hosting anything on qemu.org would be > > even better though (maybe it's enough to publish signatures on the > > static GitLab Pages website). > > If someone modifies the download files, then when you verify the sig > it will be detected. It doesn't matter whether the sig is on the same > host or not, because if someone modifies the sig too, then it will > still fail validation. The important thing is that the user has got > the right public key to verify with. > > IOW, hosting the .sig separately is not required. We need to ensure > that our public key, however, is published & discoverable in a > trustworthy place that is separate from the download server. We fail > at that today because www.qemu.org and download.qemu.org are the > same server. > > So it will be beneficial if the download site is split off from > the public website, compared to our current setup.
You're right. Thanks for pointing this out. I was thinking of the .sig as a checksum but it's a signature :-). Stefan
signature.asc
Description: PGP signature