MAAS

  1. Bug #1039513
  2. Comment #1

Comment 1 for bug 1039513

Revision history for this message
Scott Moser (smoser) wrote : Re: maas-import-pxe-files should cryptographically verify what it downloads

fwiw, this is a regression over the use of 'cobbler-ubuntu-import', which does do gpg checking against /usr/share/keyrings/ubuntu-archive-keyring.gpg [1]. That was added under bug 974460.

Outside of the race condition, which I'm willing to ignore for the time being, we can just use the same solution there.

Note also that a "InRelease" (signed content in same file as payload) does not fix this entirely either, as there is still the race between downloading the ISO and the the signed file.

--
[1] http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/quantal/cobbler/quantal/view/head:/debian/cobbler-ubuntu-import#L86