Tools with signatures
William Reade
william.reade at canonical.com
Tue Apr 9 21:34:47 UTC 2013
On Tue, 2013-04-09 at 09:38 +1000, David Cheney wrote:
> > If the juju tool only knows the "official juju" public key. How does
> > that not validate the tools are from a trusted source? It doesn't help
> > the --upload-tools case, but those are put in your private bucket anyway.
>
> uh, we're creating to tool that is uploaded. We can tell it to ignore
> signatures, or sign it ourselves and embed the key.
>
FWIW I would prefer to have the signature-checking path exercised
regularly, so let's try to avoid a no-signatures mode.
More information about the Juju-dev
mailing list