Always verify before unpacking the keyring.tar.xz files
Bug #1195057 reported by
Barry Warsaw
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu system image |
Fix Released
|
High
|
Barry Warsaw | ||
| system-image (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
I might already be doing this, but filing this bug so I don't forget to double check. Based on notes from a previous discussion, we always want to verify the keyring.tar.xz files before we unpack the .gpg keys, even if we don't have to download them.
Related branches
| Changed in ubuntu-system-image: | |
| importance: | Undecided → Medium |
| status: | New → Triaged |
| Changed in ubuntu-system-image: | |
| importance: | Medium → High |
| summary: |
- Always verify and unpack the keyring.tar.xz files + Always verify before unpacking the keyring.tar.xz files |
| Changed in ubuntu-system-image: | |
| assignee: | nobody → Barry Warsaw (barry) |
| milestone: | none → 2.0 |
| status: | Triaged → In Progress |
Revision history for this message
| Barry Warsaw (barry) wrote | #1 |
Revision history for this message
| Barry Warsaw (barry) wrote | #2 |
| Changed in ubuntu-system-image: | |
| status: | In Progress → Fix Committed |
| Changed in ubuntu-system-image: | |
| status: | Fix Committed → Fix Released |
| Changed in system-image (Ubuntu): | |
| status: | New → Fix Released |
To post a comment you must log in.
Note that we only need to check the image master, image signing, and device signing keyrings. The blacklist keyring is *always* downloaded anew (and thus its signature is always checked). The archive master is *never* downloaded - it must exist on the file system and it is presumed to be valid. If the archive master were corrupt we couldn't do anything about it anyway, except exit with an error that the user probably couldn't (easily) recover from.