[Simple-cdd-devel] Integrity of the software contained on the CD
Vagrant Cascadian
vagrant at freegeek.org
Fri Feb 4 19:46:53 UTC 2011
On Fri, Feb 04, 2011 at 04:34:00PM +0100, Müller-Reineke, Matthias wrote:
> did anybody worry about the integrity of the software contained on the CD produced with simple-cdd?
> I discovered that simple-cdd utilizes reprepro and that reprepro issues the warnings below.
> Did anybody try to make reprepro validate the integrity of the software?
> reprepro's man page describes a configuration possibility "VerifyRelease". Does anybody know how to use it for simple-cdd?
>
> reprepro issues these warnings when called by simple-cdd:
>
> Warning: No VerifyRelease line in 'default' or any rule it includes via 'From:'.
> Release.gpg cannot be checked unless you tell which key to check with.
> (To avoid this warning and not check signatures add 'VerifyRelease: blindtrust').
simple-cdd was developed before signed repositories, and i've never really
gotten around to figuring out a simple way to implement signature checking. it
would be good to fix that.
probably the simplest thing to do would be to define a commandline or
environment variable that contains the GPG fingerprints in a format that
reprepro can use. more complicated would be parsing a gpg keyring (such as
/etc/apt/trusted.gpg) and getting the fingerprints from that.
i'll spend some time testing simple-cdd today and see if i can come up with
something.
live well,
vagrant
More information about the Simple-cdd-devel
mailing list