[MDEV-8972] Tarball verification update Created: 2015-10-20  Updated: 2017-03-06  Resolved: 2017-03-06

Status: Closed
Project: MariaDB Server
Component/s: Documentation, OTHER
Affects Version/s: 10.0.21, 10.1.8
Fix Version/s: 5.5.54, 10.0.29, 10.1.21, 10.2.5, 5.5.54-galera, 10.0.29-galera

Type: Bug Priority: Minor
Reporter: Bernard Spil Assignee: Daniel Bartholomew
Resolution: Fixed Votes: 1
Labels: None
Environment:

Any


 Description   

I'd like to see several improvements to the code verification for MariaDB. Porters should always have a way to validate that the tarball they've downloaded has not been tampered with.

  1. Only PGP signed MD5 hashes available for downloadable tarballs. Please update the hashes to SHA256 and provide signatures for these as well.
  2. Documentation on how to verify your downloaded tarball seems to be missing
  3. PGP code signing key not published on the website (yet on https://yum.mariadb.org)

 Comments   
Comment by Daniel Bartholomew [ 2015-10-20 ]

The fingerprint of the GPG key is published in the Knowledge Base: https://mariadb.com/kb/en/mariadb/gpg/

GPG signatures of the files, not just signatures of the md5sums of the files, are also available on the downloads page. Adding SHA256 hashes is doable, but it will require some work on the backend of the downloads system.

We should definitely add some documentation on how to verify downloads. greenman: Do you want to add this? If not, I can.

Thanks!

Comment by Daniel Bartholomew [ 2017-03-06 ]

The download backend has been updated to support SHA256 and SHA512 hashes. They will be present on all releases moving forward and all current releases have them.

Generated at Thu Feb 08 07:31:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.