Check signature of SHA256SUMS

Bug #1198157 reported by Colin Watson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Phablet Tools
Confirmed
High
Sergio Schvezov

Bug Description

Thanks for switching phablet-tools to use SHA256SUMS rather than the separated .md5sums files (bug 1196585). It would be a good idea to check the signature on that file too, since otherwise phablet-tools is vulnerable to man-in-the-middle attacks.

The ubuntu-keyring package is installed by default on all Ubuntu systems and contains /usr/share/keyrings/ubuntu-archive-keyring.gpg, which in turn contains the cdimage signing key.

Changed in phablet-tools:
status: New → Confirmed
assignee: nobody → Sergio Schvezov (sergiusens)
importance: Undecided → High
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.