73995 – ITS Tool releases could be PGP-signed

Bug 73995 - ITS Tool releases could be PGP-signed

Summary: ITS Tool releases could be PGP-signed

Status:	NEW

Alias:	None

Product:	ITS Tool
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	low enhancement
Assignee:	Shaun McCance
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2014-01-23 22:36 UTC by Tanguy Ortolo
Modified:	2014-01-23 22:36 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Tanguy Ortolo 2014-01-23 22:36:09 UTC

Hello,

It possible, it would be nice to PGP-sign ITS Tool releases, in addition or in place of the existing SHA-256 checksums. That would allow users to check they are not downloading a rogue version created to create a security breach in their systems.

Notably, the Debian operating system can automatically check upstream releases, which allows to build a full security chain since the packages derived from them are also signed!

If you have a working installation of GnuPG, that can be done with the following command:

    $ gpg --detach-sign itstool-2.0.2.tar.bz2

Regards,

-- 
Tanguy Ortolo

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.