On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote: > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO > > download images. > > > > Since Fedora looks to be moving to Live USB Creator (maybe Fedora > Media Writer, TBD) as the primary download for Fedora 24, I wonder if > the new tool automatically verifies the GPG signed hash file, and > compares that hash with a computed one from the downloaded file? If we had virt-builder metadata, virt-builder will check the SHA256 [by default] hash of the downloaded cloud image. The hash is contained in the GPG signed metadata. To do this, virt-builder ships with (or would ship with, if we had virt-builder metadata) the Fedora GPG pubkey. Currently SUSE are doing exactly this for their cloud images. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
