Actions
Bug #7056
closed
Add gpg keys to repo for proper iso download verification method
Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
Unknown
Target version:
-
Start date:
12/30/2016
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:
Description
Currently there is no legitimate way to properly verify the .iso download has not been tampered with.
The sha256 files are not signed, and are posted on the same server that the files are hosted on.
The key must be web of trust signed by "trusted" third parties to prevent a simple hack of a webpage and the replacement of the signature and key ID that users should fetch.
Updated by 
Updated by
Actions