It’s a pretty common practice nowadays to sign downloads so users can verify that the files haven’t been tampered with (if the site gets compromised, the attackers can replace downloads & the sha256 sums easily)
@1punman Welcome to the Rockstor forum.
Indeed, we should do this for our installers. However we do already sign all our repos, and every ‘rockstor’ rpm package in them, and every upstream rpm is similarly signed by openSUSE/SuSE, as is their more modern default; with zypper enforcing these signings.
But yes, we should also sign the entire installer. We just haven’t got to how we do this yet!
I’ve created the following issue in our Kiwi-ng installer config repo:
So if anyone can chip-in with how this is done using Kiwi-ng, our installer builder, that would be great. Otherwise a core developer will likely get to this issue where mostly human resources allow.
In the interim, if this situation is a show-stopper, the above repo can be used to build ones own installer locally, or a custom variant if that is required. The README.md there has full instructions and references, in-turn, the upstream Kiwi-ng docs.
Hope that helps.
3 Likes
@1punman I’ve edited the title of this thread to be more specific to the installers themselves - given our rpm packages and repos are already signed.
1 Like