Check downloaded archive with GPG. #12
Conversation
|
Hi I have reviewed your patch.
|
* This did not work for 7.0.4 so this commit also upgrades to Owncloud 8.0.2. See #10 for dissuasion about v8.0.
* Just run `make verify-gpg-public-keys` and check if the (re)downloaded files have changed in git (they should not change unless owncloud changed there keys!).
|
Not including the signing key from ownCloud or at least specifying the fingerprint does destroy the whole purpose of checking the signature in the first place. What would happen when in the Dockerfile all three files are downloaded over https and someone hacks there website? Right, the attacker would create a new public/private key, sign the archive with it and upload the public key … When we remove the public key from this repo, there is no benefit in security … I tried to verify the authenticity of the public key as good as I can and the commit which added the file is GPG signed with my private key. Please reconsider … |
|
Yeah okay. You are right. The altering of gpg keys should not happen frequently. |
|
Not yet merged? |
* GPG verification was added in 7650b36 but unfortunately has been broken after this commit. * See jchaney/owncloud#12
* See jchaney/owncloud#12 * Removed commented out code.
* Testing against Debian Wheezy. * Made ready for new DebOps documentation format. * Don’t download the PGP key from the same source as the packages. See jchaney/owncloud#12 (comment)
define OWNCLOUD_LOCKING_ENABLED
8.0.2. See dockerfile: update to 8.0 #10 for dissuasion about v8.0.