Viewing all changes in revision 348.
- Committer: Scott Moser
- Date: 2016-11-08 18:23:05 UTC
- Revision ID: smoser@ubuntu.com-20161108182305-7jouh8ads0egg7z3
Add and use local keyring for verification of d-i data.
Debian installer data published to archive.ubuntu.com
(and ports.ubuntu.com) is "scraped" as described in README.di-scraping.
The download data was verified using the gpg keyring installed from the
archive' ubuntu-keyring (/usr/share/keyrings/ubuntu-archive-keyring.gpg).
A transition is being made from signing with the dsa1024 'Archive'
signing key below to the newer rsa4096 Archive key.
In zesty, the package installed keyring no longer contains the
older key. Thus 2 things would break:
a.) attempting to published data of an older release while running
on zesty
b.) attempting to verify older zesty data as the transition occurred
during the zesty release cycle.
The solution here is to check in the gpg keyring that was provided
by the Ubuntu 16.04 (xenial) package ubuntu-keyring, and to use that
for verification.
$ gpg keyring.gpg
pub dsa1024 2004-09-12 [SC]
630239CC130E1A7FD81A27B140976EAF437D05B5
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub elg2048 2004-09-12 [E]
pub dsa1024 2004-12-30 [SC]
C5986B4F1257FFA86632CBA746181433FBB75451
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub rsa4096 2012-05-11 [SC]
790BC7277767219C42C86F933B4FE6ACC0B21F32
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub rsa4096 2012-05-11 [SC]
843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
Debian installer data published to archive.ubuntu.com
(and ports.ubuntu.com) is "scraped" as described in README.di-scraping.
The download data was verified using the gpg keyring installed from the
archive' ubuntu-keyring (/usr/share/keyrings/ubuntu-archive-keyring.gpg).
A transition is being made from signing with the dsa1024 'Archive'
signing key below to the newer rsa4096 Archive key.
In zesty, the package installed keyring no longer contains the
older key. Thus 2 things would break:
a.) attempting to published data of an older release while running
on zesty
b.) attempting to verify older zesty data as the transition occurred
during the zesty release cycle.
The solution here is to check in the gpg keyring that was provided
by the Ubuntu 16.04 (xenial) package ubuntu-keyring, and to use that
for verification.
$ gpg keyring.gpg
pub dsa1024 2004-09-12 [SC]
630239CC130E1A7FD81A27B140976EAF437D05B5
uid Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>
sub elg2048 2004-09-12 [E]
pub dsa1024 2004-12-30 [SC]
C5986B4F1257FFA86632CBA746181433FBB75451
uid Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>
pub rsa4096 2012-05-11 [SC]
790BC7277767219C42C86F933B4FE6ACC0B21F32
uid Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
pub rsa4096 2012-05-11 [SC]
843938DF228D22F7B3742BC0D94AA3F0EFE21092
uid Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>
- files added:
- keyring.gpg
- files modified:
- meph2/netinst.py
expand all
collapse all
added
removed
