View Issue Details

IDProjectCategoryView StatusLast Update
0008022Kali LinuxFeature Requestspublic2022-10-31 08:25
Reporterequinox Assigned Toarnaudr  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Summary0008022: Please consider signing checksum files for netboot install media
Description

I use Ansible to generate customized installation media for fully automated installations. As a first step my setup downloads the original installation media (i.e. the mini.iso or the netboot kernel+initrd) from http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images. This directory does contain checksum files but unfortunately those files are not signed. On Debian the checksum files are actually part of the Release file and can therefore be verified using the same keyring that is used to verify APT packages.

Steps To Reproduce

Compare the output of

$ curl -L http://http.kali.org/dists/kali-rolling/Release

and

$curl -L http://deb.debian.org/debian/dists/bullseye/Release

The Debian Release files do contain checksums for files like main/installer-amd64/current/images/SHA256SUMS whereas the Kali Release files don't.

Additional Information

On Ubuntu this has been solved slightly different. Here the SHA256SUMS files are signed directly using the Ubuntu archive Keyring as can be seen here: http://archive.ubuntu.com/ubuntu/dists/focal/main/installer-amd64/current/legacy-images/.
I don't really care how this is done as long as i can verify the file downloads using a keyring that i can put into my Ansible repository i am satisfied.

Activities

arnaudr

arnaudr

2022-10-26 00:50

manager   ~0016999

Thanks for the detailed report! I can see us signing the files in the same way as Ubuntu does it. Let me check.

arnaudr

arnaudr

2022-10-27 04:43

manager   ~0017009

Last edited: 2022-10-27 04:43

I notice that we DO have signed checksum files in the following directories:

And it covers the file "mini.iso" and "netboot.tar.gz". I don't know if it's enough for your use-case though.

arnaudr

arnaudr

2022-10-28 04:33

manager   ~0017013

In any case, I followed the Ubuntu way, and we now sign the top-level checksum files. Check http://http.kali.org/kali/dists/kali-rolling/main/installer-amd64/current/images/, the signatures should appear there in a few hours. Feel free to re-open the ticket if there are still issues. Cheers!

Issue History

Date Modified Username Field Change
2022-10-25 16:38 equinox New Issue
2022-10-26 00:50 arnaudr Note Added: 0016999
2022-10-27 04:43 arnaudr Note Added: 0017009
2022-10-27 04:43 arnaudr Note Edited: 0017009
2022-10-28 04:33 arnaudr Note Added: 0017013
2022-10-28 04:34 arnaudr Assigned To => arnaudr
2022-10-28 04:34 arnaudr Status new => assigned
2022-10-28 04:34 arnaudr Status assigned => resolved
2022-10-28 04:34 arnaudr Resolution open => fixed