View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008022 | Kali Linux | [All Projects] Feature Requests | public | 2022-10-25 16:38 | 2022-10-31 08:25 |
| Reporter | equinox | Assigned To | arnaudr | ||
| Priority | normal | Severity | feature | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | |||||
| Target Version | Fixed in Version | ||||
| Summary | 0008022: Please consider signing checksum files for netboot install media | ||||
| Description | I use Ansible to generate customized installation media for fully automated installations. As a first step my setup downloads the original installation media (i.e. the mini.iso or the netboot kernel+initrd) from `http://http.kali.org/dists/kali-rolling/main/installer-amd64/current/images`. This directory does contain checksum files but unfortunately those files are not signed. On Debian the checksum files are actually part of the Release file and can therefore be verified using the same keyring that is used to verify APT packages. | ||||
| Steps To Reproduce | Compare the output of $ curl -L http://http.kali.org/dists/kali-rolling/Release and $curl -L http://deb.debian.org/debian/dists/bullseye/Release The Debian Release files do contain checksums for files like `main/installer-amd64/current/images/SHA256SUMS` whereas the Kali Release files don't. | ||||
| Additional Information | On Ubuntu this has been solved slightly different. Here the SHA256SUMS files are signed directly using the Ubuntu archive Keyring as can be seen here: http://archive.ubuntu.com/ubuntu/dists/focal/main/installer-amd64/current/legacy-images/. I don't really care how this is done as long as i can verify the file downloads using a keyring that i can put into my Ansible repository i am satisfied. | ||||
|
|
Thanks for the detailed report! I can see us signing the files in the same way as Ubuntu does it. Let me check. |
|
|
I notice that we DO have signed checksum files in the following directories: * http://http.kali.org/kali/dists/kali-dev/main/installer-amd64/current/images/netboot/ * http://http.kali.org/kali/dists/kali-dev/main/installer-amd64/current/images/netboot/gtk/ And it covers the file "mini.iso" and "netboot.tar.gz". I don't know if it's enough for your use-case though. |
|
|
In any case, I followed the Ubuntu way, and we now sign the top-level checksum files. Check http://http.kali.org/kali/dists/kali-rolling/main/installer-amd64/current/images/, the signatures should appear there in a few hours. Feel free to re-open the ticket if there are still issues. Cheers! |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-10-25 16:38 | equinox | New Issue | |
| 2022-10-26 00:50 | arnaudr | Note Added: 0016999 | |
| 2022-10-27 04:43 | arnaudr | Note Added: 0017009 | |
| 2022-10-27 04:43 | arnaudr | Note Edited: 0017009 | View Revisions |
| 2022-10-28 04:33 | arnaudr | Note Added: 0017013 | |
| 2022-10-28 04:34 | arnaudr | Assigned To | => arnaudr |
| 2022-10-28 04:34 | arnaudr | Status | new => assigned |
| 2022-10-28 04:34 | arnaudr | Status | assigned => resolved |
| 2022-10-28 04:34 | arnaudr | Resolution | open => fixed |