On 25/07/2019 00:00, Thomas Goirand wrote: > On the secret files found here: > http://cloud.debian.org/cdimage/cloud/ > > there's a json file attached. Unfortunately, there's no SHA512, and of > course, no GPG signature of this file, so it's impossible check the validity > of the images. Please at least add a SHA512, then we can see later how we > can sign the json file.
What do we need in order to actually make this happen? I presume this needs a code change in https://salsa.debian.org/cloud-team/debian-cloud-images? If so, I'd like to take that on. Clearly it makes sense to include the checksum(s) in the build.json file, but: - Which checksums should we include? Our Apt repos use MD5 and SHA-256, and our ISOs use MD5, SHA-1, SHA-256 and SHA-512. I'd be inclined to suggest SHA-256 and SHA-512 only, personally. - I know the manifests are inspired by Kubernetes, but the checksums don't feel like they have a natural place in the current data structure. I can see three options: 1. Add labels of the form "checksum.cloud.debian.org/${ALGO}" under metadata.labels, for example "checksum.cloud.debian.org/sha256". 2. Add keys under data.info of the form "${ALGO}sum", for example "sha256sum". 3. Add a new mapping within the "data" mapping called "checksums" with keys for each algorithm, e.g. "data.checksums.sha256". In each case I expect the values to be hex strings, effectively the same as the first column of the output from sha1sum, sha256sum, sha512sum, etc... from coreutils. - Should we also generate the relevant SHA1SUM / SHA256SUM / SHA512SUM / etc... files as might be consumed by the coreutils tools? - Should we GPG-sign the manifests, logs, and/or checksum files? How might we go about this? Cheers, Chris -- Chris Boot bo...@debian.org
signature.asc
Description: OpenPGP digital signature
