fwiw, this is a regression over the use of 'cobbler-ubuntu-import', which does do gpg checking against /usr/share/keyrings/ubuntu-archive-keyring.gpg [1]. That was added under bug 974460.
Outside of the race condition, which I'm willing to ignore for the time being, we can just use the same solution there.
Note also that a "InRelease" (signed content in same file as payload) does not fix this entirely either, as there is still the race between downloading the ISO and the the signed file.
fwiw, this is a regression over the use of 'cobbler- ubuntu- import' , which does do gpg checking against /usr/share/ keyrings/ ubuntu- archive- keyring. gpg [1]. That was added under bug 974460.
Outside of the race condition, which I'm willing to ignore for the time being, we can just use the same solution there.
Note also that a "InRelease" (signed content in same file as payload) does not fix this entirely either, as there is still the race between downloading the ISO and the the signed file.
-- bazaar. launchpad. net/~ubuntu- branches/ ubuntu/ quantal/ cobbler/ quantal/ view/head: /debian/ cobbler- ubuntu- import# L86
[1] http://