Feature #7859: Have check-mirrors use a dedicated keyring

Feature #7859

Have check-mirrors use a dedicated keyring

Added by sajolida 2014-08-31 06:44:34 . Updated 2019-04-07 07:09:44 .

Status:

Confirmed

Priority:

Normal

Assignee:

Category:

Infrastructure

Target version:

Start date:

2014-08-31

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

check-mirrors

Deliverable for:

Description

At the moment when running from our servers, check-mirror uses the keyring of its Unix user, with only the right signing key imported in it.

This shouldn’t matter when it’s running as a dedicated user but in other case, a mirror could publish a signature that is valid according to a different key.

Source code: git clone https://git.tails.boum.org/check-mirrors
Mentoring: tails-mirrors@boum.org

Subtasks

History

#1 Updated by BitingBird 2015-01-04 18:53:11

Category changed from 214 to Infrastructure
Affected tool set to check-mirrors

#2 Updated by Anonymous 2017-06-29 15:03:02

Assignee set to sajolida
QA Check set to Info Needed

I dont really understand the problem, could you please clarify?

#3 Updated by intrigeri 2017-06-29 15:10:03

Assignee deleted (~~sajolida~~)
QA Check deleted (~~Info Needed~~)

check-mirrors checks the detached signature on our ISO image published by mirrors. What we want to check is that this signature 1. is valid; 2. was made by the Tails signing key. Currently we only check it’s made by some key that’s in the user’s public keyring.

#4 Updated by sajolida 2018-04-21 15:48:46

Description updated
Starter set to Yes

#5 Updated by sajolida 2018-04-21 15:50:57

Description updated

#6 Updated by intrigeri 2019-04-07 07:09:44

Subject changed from Have check-mirror use a dedicated keyring to Have check-mirrors use a dedicated keyring