0008022: Please consider signing checksum files for netboot install media - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0008022	Kali Linux	Feature Requests	public	2022-10-25 16:38	2022-10-31 08:25

Reporter	equinox	Assigned To	arnaudr
Priority	normal	Severity	feature	Reproducibility	always
Status	resolved	Resolution	fixed

Summary	0008022: Please consider signing checksum files for netboot install media
Description	I use Ansible to generate customized installation media for fully automated installations. As a first step my setup downloads the original installation media (i.e. the mini.iso or the netboot kernel+initrd) from `http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images`. This directory does contain checksum files but unfortunately those files are not signed. On Debian the checksum files are actually part of the Release file and can therefore be verified using the same keyring that is used to verify APT packages.
Steps To Reproduce	Compare the output of $ curl -L http://http.kali.org/dists/kali-rolling/Release and $curl -L http://deb.debian.org/debian/dists/bullseye/Release The Debian Release files do contain checksums for files like `main/installer-amd64/current/images/SHA256SUMS` whereas the Kali Release files don't.
Additional Information	On Ubuntu this has been solved slightly different. Here the SHA256SUMS files are signed directly using the Ubuntu archive Keyring as can be seen here: http://archive.ubuntu.com/ubuntu/dists/focal/main/installer-amd64/current/legacy-images/. I don't really care how this is done as long as i can verify the file downloads using a keyring that i can put into my Ansible repository i am satisfied.

arnaudr 2022-10-26 00:50 manager ~0016999	Thanks for the detailed report! I can see us signing the files in the same way as Ubuntu does it. Let me check.

arnaudr 2022-10-27 04:43 manager ~0017009 Last edited: 2022-10-27 04:43	I notice that we DO have signed checksum files in the following directories: http://http.kali.org/kali/dists/kali-dev/main/installer-amd64/current/images/netboot/ http://http.kali.org/kali/dists/kali-dev/main/installer-amd64/current/images/netboot/gtk/ And it covers the file "mini.iso" and "netboot.tar.gz". I don't know if it's enough for your use-case though.

arnaudr 2022-10-28 04:33 manager ~0017013	In any case, I followed the Ubuntu way, and we now sign the top-level checksum files. Check http://http.kali.org/kali/dists/kali-rolling/main/installer-amd64/current/images/, the signatures should appear there in a few hours. Feel free to re-open the ticket if there are still issues. Cheers!

Date Modified	Username	Field	Change
2022-10-25 16:38	equinox	New Issue
2022-10-26 00:50	arnaudr	Note Added: 0016999
2022-10-27 04:43	arnaudr	Note Added: 0017009
2022-10-27 04:43	arnaudr	Note Edited: 0017009
2022-10-28 04:33	arnaudr	Note Added: 0017013
2022-10-28 04:34	arnaudr	Assigned To	=> arnaudr
2022-10-28 04:34	arnaudr	Status	new => assigned
2022-10-28 04:34	arnaudr	Status	assigned => resolved
2022-10-28 04:34	arnaudr	Resolution	open => fixed