Opened 6 years ago

Last modified 22 months ago

#8689 new defect

Periodically verify signatures in /dist

Reported by: mo Owned by:
Priority: Medium Milestone:
Component: Internal Services/Service - dist Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Give the recent bad signatures of some files in /dist that only came to light after a user emailed helpdesk, I wrote a bash script that I now run periodically on my dist mirror to verify the signatures. I think it's not a bad idea to run it on tpo.org as well.

As first argument, it takes the path to /dist. It uses a local independent public keyring I update from time to time. That path must be customized in the script.

It currently excludes /dist/manual because that contains unsigned copies of the user manual.

Child Tickets

Attachments (1)

verify-dist-signatures.sh (420 bytes) - added by mo 6 years ago.

Download all attachments as: .zip

Change History (6)

Changed 6 years ago by mo

Attachment: verify-dist-signatures.sh added

comment:1 Changed 6 years ago by arma

Sounds like we should get this script into version control somewhere.

Weasel, do you know of a good place for it? (we have similar things in old svn)

comment:2 Changed 6 years ago by weasel

Nice idea, but first we should probably split /dist from the rest of www, and then maybe do something so that only signed files can be added to dist in the first place..

comment:3 Changed 6 years ago by weasel

We need a team that takes care of dist. That's not sysadmin.

comment:4 Changed 6 years ago by weasel

Component: Tor Sysadmin TeamService - dist

comment:5 Changed 22 months ago by teor

Severity: Normal

Set all open tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.