Suggestion: bmap files and bmaptool

[Artem Bityutskiy]

On Wed, 2013-08-14 at 12:24 +0200, Björn Persson wrote:
> Speaking of security, how is the integrity of the bmap file itself
> verified?

This is not implemented, unfortunately. This is another thing which I
probably would need to do, and this is a very good point.

I will look at this, after I do the SHA256 thing.

>  A checksum is of no use if you don't know who generated the
> checksum. Fedora's checksum files are OpenPGP signed, as you can see
> in
> the one that Till linked to.

Right, bmap file could also contain such a signature.

>  I don't see a cryptographic signature in
> your example file. Are there detached signatures for the bmap files?

Well, of course detached signatures can be generated.

> And does Bmaptool verify the signatures?

But no, bmaptool does not verify them. And again, if there is real
interest from Fedora community, I will try to implement this faster (or
accept someone's contribution :-))

Thanks for the feed-back!

-- 
Best Regards,
Artem Bityutskiy