debian-installer images aren't signed in the archive

I don't think we need to invent a new index file (the Index files you're referring to are mostly for pdiffs anyway). Why not just add an MD5SUMS.gpg alongside the existing MD5SUMS? That would be simple, sufficient, and straightforward. Alternatively, it would be OK to add the checksums of MD5SUMS itself to the Release file, although that seems a little awkward given that it's sometimes necessary for an archive admin to modify dists/*/main/installer-*/ directly and I would prefer it if those directories were self-contained rather than hooked into Release.

I've added SHA1SUMS and SHA256SUMS files for the next debian-installer upload.

The reason I tended to favor moving to an Index file were to allow multiple hash formats in the same file (SHA1: ..., Md5sums: ...) because clearly md5 alone wasn't good enough.

I'm fine with having SHA1SUMS + MD5SUMS etc., that solves the same problem, albeit I wonder whether we could benefit from increased consistency by using Index and Release files instead of having a distinct layout for installer images. I think having self contained directories is important too, but I believe they need to match the archive anyway?

Thanks for your feedback!

They need to match the archive to some extent, but only in that they need to have the same kernel ABI. This is a relatively weak criterion and it's often fine for it to be out by several publisher cycles. I'm reticent to invent new file formats for the archive that may differ from future work in Debian; detached GPG signatures on a few files are at least simple.

Julian, this is apparently needed for mobile team projects such as rootstock, so perhaps it needs a higher priority? Loïc should elaborate ...

yes, if there is a signed kernel binary available that would indeed improve the situation a lot, currently rootstock downloads Packages.gz for armel on the build host, parses that with grep-dctl to determine the package name, downloads the .deb and unpacks it to get the vmlinuz file from it.
having a properly signed vmlinuz from d-i would save me from having all that overhead.

Context: I originally filed that bug because there was no way to verify signatures of some of the images we output (namely the /installer-$arch/ images in the archive); some of these were available on cdimage IIRC, but I think it made sense to have d-i's images signed like everything else in the archive. Since then, the "rootstock" tool was written by Oliver to create armel rootfses and virtual machines running Ubuntu (a virtual machine might be started during rootstock's run) and so needed to download just the vmlinuz file; this is why I revived this bug report a bit as to allow rootstock to pull from a straightforward location rather than the quite indirect path Oliver mentioned.

It's hard for me to judge at what deadline this should be implemented for Oliver to have the time to adapt rootstock, ideally if the signed kernels could be available in the next weeks or month, that would seem nice, but I can't judge of the relative importance of this feature when compared to other ones.

a month would be the max for me to make lucid, rootstock staying in universe for this release gives me some extra freedom, but given the feature needs proper testing and rootstock being widely used in the armel community i dont want to leave the testing phase to short here.

It's extremely difficult for me to take on high-priority bugs at short notice, we're totally maxed out in Soyuz-land. If you want to go via the MD5SUMS.gpg route then this is a really easy change that any of you can make in the existing publisher code. I'd be happy to mentor that.

If that's not possible then find me on IRC to talk about things.

Cheers.

See also bug 383044. These are probably the same?