Feature #7859
Have check-mirrors use a dedicated keyring
Start date:
2014-08-31
Due date:
% Done:
0%
Description
At the moment when running from our servers, check-mirror uses the keyring of its Unix user, with only the right signing key imported in it.
This shouldn’t matter when it’s running as a dedicated user but in other case, a mirror could publish a signature that is valid according to a different key.
Source code: git clone https://git.tails.boum.org/check-mirrors
Mentoring: tails-mirrors@boum.org
Subtasks
History
#1 Updated by BitingBird 2015-01-04 18:53:11
- Category changed from 214 to Infrastructure
- Affected tool set to check-mirrors
#2 Updated by Anonymous 2017-06-29 15:03:02
- Assignee set to sajolida
- QA Check set to Info Needed
I dont really understand the problem, could you please clarify?
#3 Updated by intrigeri 2017-06-29 15:10:03
- Assignee deleted (
sajolida) - QA Check deleted (
Info Needed)
check-mirrors checks the detached signature on our ISO image published by mirrors. What we want to check is that this signature 1. is valid; 2. was made by the Tails signing key. Currently we only check it’s made by some key that’s in the user’s public keyring.
#4 Updated by sajolida 2018-04-21 15:48:46
- Description updated
- Starter set to Yes
#5 Updated by sajolida 2018-04-21 15:50:57
- Description updated
#6 Updated by intrigeri 2019-04-07 07:09:44
- Subject changed from Have check-mirror use a dedicated keyring to Have check-mirrors use a dedicated keyring