Have check-mirrors use a dedicated keyring
At the moment when running from our servers, check-mirror uses the keyring of its Unix user, with only the right signing key imported in it.
This shouldn't matter when it's running as a dedicated user but in other case, a mirror could publish a signature that is valid according to a different key.
git clone https://git.tails.boum.org/check-mirrors
#3 Updated by intrigeri almost 3 years ago
- Assignee deleted (
- QA Check deleted (
check-mirrors checks the detached signature on our ISO image published by mirrors. What we want to check is that this signature 1. is valid; 2. was made by the Tails signing key. Currently we only check it's made by some key that's in the user's public keyring.