cloud-images

streams should be gpg signed & gpg verified

Bug #1919339 reported by Dimitri John Ledkov
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Invalid
Undecided
Unassigned
Ubuntu CD Images
New
Undecided
Unassigned
cloud-images
New
Undecided
Unassigned
Ubuntu
New
Undecided
Unassigned

Bug Description

streams should be gpg signed & gpg verified

Over at https://cloud-images.ubuntu.com/releases/streams/v1/

https://cloud-images.ubuntu.com/releases/streams/v1/index.sjson is GPG signed stream, with key available from src:ubuntu-keyring package.

Similarly https://images.maas.io/streams/v1/ should also be probably GPG signed

And ditto https://cdimage.ubuntu.com/ubuntu-core/appliances/streams/v1/

and any other streams that I might now.

Also multipass & maas should have access to the gpg keyrings (i.e. vendor various debs produced by src:ubuntu-keyring) and fetch streams with gpg verification.

Otherwise we cannot detect if streams get mirrored and tampered with.

Dimitri John Ledkov (xnox)
information type: Public → Public Security
Revision history for this message
Adam Collard (adam-collard) wrote :

https://images.maas.io/ephemeral-v3/stable/streams/v1/

The MAAS image stream is signed?

Changed in maas:
status: New → Incomplete
Revision history for this message
Michał Sawicz (saviq) wrote :

We in Multipass are following LXD's suit, they've decided against GPG for cross-platform and key revocation reasons.

Streams are accessed via HTTPS, the assumption being that as long as your HTTPS connection to the host is good verified, the streams are considered trusted.

Revision history for this message
Alberto Donato (ack) wrote :

Marking this invalid for maas. As per Adam's comment MAAS streams (stable, candidate, daily) are GPG signed.

Changed in maas:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.