streams should be gpg signed & gpg verified
Bug #1919339 reported by
Dimitri John Ledkov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MAAS |
Invalid
|
Undecided
|
Unassigned | ||
Ubuntu CD Images |
New
|
Undecided
|
Unassigned | ||
cloud-images |
New
|
Undecided
|
Unassigned | ||
Ubuntu |
New
|
Undecided
|
Unassigned |
Bug Description
streams should be gpg signed & gpg verified
Over at https:/
https:/
Similarly https:/
And ditto https:/
and any other streams that I might now.
Also multipass & maas should have access to the gpg keyrings (i.e. vendor various debs produced by src:ubuntu-keyring) and fetch streams with gpg verification.
Otherwise we cannot detect if streams get mirrored and tampered with.
information type: | Public → Public Security |
To post a comment you must log in.
https:/ /images. maas.io/ ephemeral- v3/stable/ streams/ v1/
The MAAS image stream is signed?