launchpad-reviewers team mailing list archive

Thread
Date

[Merge] lp:~cjwatson/launchpad/sign-installer into lp:launchpad

To: mp+85670@xxxxxxxxxxxxxxxxxx
From: Colin Watson <cjwatson@xxxxxxxxxxxxx>
Date: Wed, 14 Dec 2011 14:37:25 -0000
Reply-to: mp+85670@xxxxxxxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

Colin Watson has proposed merging lp:~cjwatson/launchpad/sign-installer into lp:launchpad.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)
Related bugs:
  Bug #383044 in Launchpad itself: "No GPG signatures for nonstandard installers"
  https://bugs.launchpad.net/launchpad/+bug/383044

For more details, see:
https://code.launchpad.net/~cjwatson/launchpad/sign-installer/+merge/85670

= Summary =

As reported in bug 383044, we should sign Ubuntu's files containing checksums of installer images so that there's a reasonable trust path to download them.

== Proposed fix ==

Extend the existing ad-hoc cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases script.  This is Ubuntu-specific.

== Pre-implementation notes ==

I discussed this approach with lifeless on the bug.  He reckoned it was OK to extend this script for now, although it would be better to do it for all primary archives.  I haven't attempted the latter yet as that path isn't used for Ubuntu, and I'm not honestly sure whether derived distributions in Launchpad are going to need this.

== Implementation details ==

None.

== Tests ==

This script is untestable right now, as far as I know; test_publish_ftpmaster just tests that scripts in the publish-distro.d directory will get run.

== Demo and Q/A ==

Create /srv/launchpad.net/ubuntu-archive/gnupg-home with some kind of useful GPG configuration on dogfood (mirroring production, I suppose, only with a different key) so that we can sign things.  Do a full publish-ftpmaster run on dogfood and check that dists/p-series/main/installer-*/current/images/*SUMS get correctly signed with dogfood's key.

== lint ==

None.
-- 
https://code.launchpad.net/~cjwatson/launchpad/sign-installer/+merge/85670
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~cjwatson/launchpad/sign-installer into lp:launchpad.

=== modified file 'cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases'
--- cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases	2011-08-08 06:05:38 +0000
+++ cronscripts/publishing/distro-parts/ubuntu/publish-distro.d/10-sign-releases	2011-12-14 14:36:25 +0000
@@ -14,8 +14,10 @@
 RELEASE_FILES=`find $DISTSROOT -maxdepth 2 -name Release`
 DIST_UPGRADER_TARBALLS=`
 	find $DISTSROOT/*/*/dist-upgrader* -name "*.tar.gz" || true`
+INSTALLER_CHECKSUMS=`
+	find $DISTSROOT/*/*/installer-* -name "*SUMS" || true`
 
-for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS
+for CANDIDATE in $RELEASE_FILES $DIST_UPGRADER_TARBALLS $INSTALLER_CHECKSUMS
 do
     if [ ! -f "$CANDIDATE.gpg" ] || [ "$CANDIDATE" -nt "$CANDIDATE.gpg" ]
     then