[Bug 1565889] Re: /install/filesystem.squashfs should be signed

[Launchpad Bug Tracker]

This bug was fixed in the package live-installer - 51ubuntu2

---------------
live-installer (51ubuntu2) xenial; urgency=medium

  * Validate signatures on components exported via a mirror, based on
    net-retriever code. LP: #1565889.

 -- Dimitri John Ledkov <xnox at ubuntu.com>  Wed, 06 Apr 2016 21:54:15
+0100

** Changed in: live-installer (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-cd in Ubuntu.
https://bugs.launchpad.net/bugs/1565889

Title:
  /install/filesystem.squashfs should be signed

Status in Ubuntu CD Images:
  Fix Released
Status in debian-cd package in Ubuntu:
  Invalid
Status in live-installer package in Ubuntu:
  Fix Released

Bug description:
  Prior to xenial, /install/filesystem.squashfs would only be used from
  a locally booted and mounted media. In xenial, the live-installer
  package was extended to automatically search a mirror, download
  remotely and use filesystem.squashfs. Before xenial, such actions were
  only performed upon explicit user request and from user supplied url.
  Given that this is now done automatically, it is prudent to gpg sign
  and validate such downloads prior to them being used. Otherwise an
  avenue is opened for a "rogue" mirror to have a valid verbantim mirror
  of the apt archive, yet a modified filesystem.squashfs which
  unmodified verified d-i could be blindly using.

  Ideally live-installer would simply use secure apt download facility
  of arbitrary files with gpg signature verification, but I doubt that
  anna currently supports that.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-cdimage/+bug/1565889/+subscriptions