Verifying integrity of downloads


#1

We need to make an MD5 hash of the released downloads publicly available. Are these displayed somewhere I can’t find, or do we need to start moving them over from the build system?

cc/ @jprause


#2

We will work on adding MD5 signatures with the releases that are publicly available. This would only affect future releases when resolved.


#3

That’s great - thanks for looking into it.


#4

@johnmark: Pretty close to having a solution ready.

Question: I’m preparing to name the resultant checksum files: md5sum and sha256sum

Is that okay with you, or do you prefer another naming convention?


#5

That sounds good. Go for it.


#6

Although there will be multiple images for download so you’re using the naming convention of [image name].md5sum right?


#7

@johnmark: This request has now been fulfilled,…with caveat.

Before this request came in for upstream, there was a similar request by the QE team to have a sha256sum for the downstream builds. Working these two issues,…we decided to go with the sha256sum, and drop the md5sum as it seemed redundant to have both, as well as sha256sum is more secure.

This allowed us to leverage the feature in gpg to create a signature and a public.key file to verify the integrity not only of the builds,…but also of the checksum file as well. Thus, one can verify that the checksum file was not modified since it was created and signed.

These changes were implemented for last night’s build. If you review the upstream latest,…you’ll find the following files:

  • SHA256SUM - ascii file containing the checksums of the appliances from the nightly build
  • SHA256SUM.sig - gpg signature file used to verify that the SHA256SUM file has not been changed since it was originally signed.
  • cfme_public.key - gpg public key which must be imported the before first use. This allows gpg to run the verify as described above.
  • manageiq-ovirt-master-201506012000-899b0e79.qc2
  • manageiq-openstack-master-201506012000-899b0e79.qc2
  • manageiq-vsphere-master-201506012000-899b0e79.qc2

While users may be familiar with the gpg commands to import the public key and run the verify, we will be adding a README that describes these commands. They are as follows:

  • How to import the public key. This will add the public key in the file “cfme_public.key” to your public key ring. Run the following at command line:
    gpg --import cfme_public.key

  • How to verify that the SHA25SUM has not been modified since being signed, run at command line:
    gpg --verify SHA256SUM.sig SHA256SUM

  • How to compare the checksums found in the SHA256SUM file to the appliances, run at the command line and then compare the result with the one found in the SHA256SUM file.
    sha256sum manageiq-vsphere-master-xxxxxx-xxxx.ova


#8

This is terrific. Thanks. I’ll add a blog post about it.