maas-images

Signature should cover size and sha256 of uncompressed images

Bug #1498234 reported by Mike Pontillo
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
maas-images
Triaged
Low
Unassigned

Bug Description

As an example, given the following JSON from simplestreams:

      "root-image.gz": {
       "path": "trusty/arm64/20150911/root-image.gz",
       "ftype": "root-image.gz",
       "sha256": "8466c35a1895bea7a31fb1502455871747e1821b1a7dfe27e5765dc315fdb2dc",
       "size": 303454455
      }

Note here that the sha256 covers only the *compressed* file. Once the file has been uncompressed, there is no way to validate its integrity in a trusted manner.

We should consider changing this to something like:

      "root-image.gz": {
       "path": "trusty/arm64/20150911/root-image.gz",
       "ftype": "root-image.gz",
       "sha256": "8466c35a1895bea7a31fb1502455871747e1821b1a7dfe27e5765dc315fdb2dc",
       "uncompressed_sha256": "6e03910d549413e945de384f27eeeacf11cad5d0108446aa776204fc775b6425",
       "size": 303454455
       "uncompressed_size": 1468006400
      }

Scott Moser (smoser)
affects: simplestreams → maas-images
Scott Moser (smoser)
Changed in maas-images:
status: New → Triaged
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.