Proposed F19 Feature: Package Signature Checking During Installation
Petr Pisar
ppisar at redhat.com
Tue Jan 8 15:52:02 UTC 2013
On 2013-01-08, Jaroslav Reznik <jreznik at redhat.com> wrote:
>
>= Features/PackageSignatureCheckingDuringInstall =
> https://fedoraproject.org/wiki/Features/PackageSignatureCheckingDuringInstall
>
> * Detailed description:
> One long-standing problem in Fedora is that we don't check package signatures
> during installation. This has been a persistent issue since the very beginning
> of Fedora (and even in Red Hat Linux before it.) The reason for this has
> always been that there's no way to form any root of trust for the signatures
> in the repositories, and thus no reason they wouldn't have been modified along
> with whatever package would need to be re-signed after tampering.
>
Reading till here makes me pondering how's possible rpm does not check
package signature.
> Following the implementation of Features/SecureBoot, we can extend the Secure
> Boot keys as a root of trust provided by the hardware against which we can
> verify a signature on our key files, thus guaranteeing that they're from the
> same source as the boot media.
>
Now it's clear it's about insttalling distribution. Not about installing
a package with rpm in general.
Could reponsible person change title and abstract to be clear it's about
_distribution_ installation?
-- Petr
More information about the devel
mailing list