summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authortblume <Thomas.Blume@suse.com>2017-04-24 20:37:11 +0200
committerLennart Poettering <lennart@poettering.net>2017-04-24 20:37:11 +0200
commit697be0be15df33e421e29c3b60b10b40c413bb8b (patch)
tree25cc20fe22d75c46b013d65af1a27965cc8a0f11 /man
parent8ea9aa9e88b043aaa48eed4b482ac58342457e16 (diff)
downloadsystemd-697be0be15df33e421e29c3b60b10b40c413bb8b.tar.gz
importd: support SUSE style checksums (#5206)
In order to verify a pulled container or disk image, importd only supports SHA256SUMS files with the detached signature in SHA256SUMS.gpg. SUSE is using an inline signed file with the name of the image itself and the suffix .sha256 instead. This commit adds support for this type of signature files. It is first attempted to pull the .sha256 file. If this fails with error 404, the SHA256SUMS and SHA256SUMS.gpg files are pulled and used for verification.
Diffstat (limited to 'man')
-rw-r--r--man/machinectl.xml29
1 files changed, 16 insertions, 13 deletions
diff --git a/man/machinectl.xml b/man/machinectl.xml
index 7a159aecdc..46dcb44ca6 100644
--- a/man/machinectl.xml
+++ b/man/machinectl.xml
@@ -713,19 +713,22 @@
is automatically derived from the last component of the URL,
with its suffix removed.</para>
- <para>The image is verified before it is made available,
- unless <option>--verify=no</option> is specified. Verification
- is done via SHA256SUMS and SHA256SUMS.gpg files that need to
- be made available on the same web server, under the same URL
- as the <filename>.tar</filename> file, but with the last
- component (the filename) of the URL replaced. With
- <option>--verify=checksum</option>, only the SHA256 checksum
- for the file is verified, based on the
- <filename>SHA256SUMS</filename> file. With
- <option>--verify=signature</option>, the SHA256SUMS file is
- first verified with detached GPG signature file
- <filename>SHA256SUMS.gpg</filename>. The public key for this
- verification step needs to be available in
+ <para>The image is verified before it is made available, unless
+ <option>--verify=no</option> is specified.
+ Verification is done either via an inline signed file with the name
+ of the image and the suffix <filename>.sha256</filename> or via
+ separate <filename>SHA256SUMS</filename> and
+ <filename>SHA256SUMS.gpg</filename> files.
+ The signature files need to be made available on the same web
+ server, under the same URL as the <filename>.tar</filename> file.
+ With <option>--verify=checksum</option>, only the SHA256 checksum
+ for the file is verified, based on the <filename>.sha256</filename>
+ suffixed file or the<filename>SHA256SUMS</filename> file.
+ With <option>--verify=signature</option>, the sha checksum file is
+ first verified with the inline signature in the
+ <filename>.sha256</filename> file or the detached GPG signature file
+ <filename>SHA256SUMS.gpg</filename>.
+ The public key for this verification step needs to be available in
<filename>/usr/lib/systemd/import-pubring.gpg</filename> or
<filename>/etc/systemd/import-pubring.gpg</filename>.</para>