Force authentication for cdebootstrap-static #62
Conversation
Before, during initial bootstrapping, cdebootstrap-static ignored "the unavailability of Release.gpg, missing keyrings, broken signatures, and missing gpgv executable". This commit adds the necessary dependencies to be able to perform the verifications. Following this commit, the signatures/checksums on the Release file and all packages are properly checked.
|
Thank you so much for this PR 👍 I've started playing locally to fix this pet-peeve of mine and this will surely speed things up :-) |
|
It seems to work (testing it atm), provided that the date is set correctly with rdate ... which is rather a weak point in the rcS script. Even though it's marked as non-fatal, it does become fatal when this commit is added. Any suggestions on this would be welcome, since busybox's sh doesn't support arrays :-/ |
|
Also adding another commit to your PR doesn't automatically close the issue, hence closing it manually. Thanks again for your contribution 👍 |
Before, during initial bootstrapping, cdebootstrap-static ignored "the unavailability of Release.gpg, missing keyrings, broken signatures, and missing gpgv executable". This commit adds the necessary dependencies to be able to perform the verifications. Following this commit, the signatures/checksums on the Release file and all packages are properly checked.
Note that before this change, downloads of all of the packages during installation were performed over an unencrypted http connection with no verification, so they were subject to man-in-the-middle attacks.