RE: Preventing supply chain attacks via rekor
Björn Persson <Bjorn(a)xn--rombobjrn-67a.se> writes:
I believe Yum has a feature to verify signed repository metadata. I
don't know why it's not used. If that verification would be turned on,
are there any attacks that would still be possible then, that Rekor
could prevent?
There's still the classic downgrade attack: point to an older version of
the repositories. Enforcing https helps mitigate it by having the client
put trust in the certificate owner to run a secure mirror which is kept
up to date.
You get some protection from *some* downgrade attacks since there's
timestamps on repo metadata and if you see older metadata than what you
saw last time (yum at least, I haven't double-checked DNF) will complain
at you.