Proposed F19 Feature: Package Signature Checking During Installation

Björn Persson bjorn at xn--rombobjrn-67a.se
Tue Jan 8 19:28:03 UTC 2013 

Peter Jones wrote:
> On Tue, Jan 08, 2013 at 05:46:04PM +0100, Björn Persson wrote:
> > In my opinion, if Anaconda finds that it was booted without Secure
> > Boot, then it should assume that the user has verified the checksum on
> > the installation image and that the keys therein are therefore trusted,
> > and use those keys to verify any packages it downloads.  
> 
> Feel free to submit a feature for this and patches for it if you feel
> it's appropriate to do so.

I want to, it's just that if I'd try to actually do everything I want
to do I'd spread myself so thin that I'd never get anything done at
all.

> I don't happen to think it is, so I'm not going to.

Do you think anything is gained security-wise by omitting the signature
checking? Is the installation more secure if the packages aren't
verified at all than if they are verified against an uncertain root of
trust? Or does it take more programming work to do the same checking in
all cases than it takes to enable or disable the checking depending on
whether Secure Boot was used?

> > It's enough to verify downloaded packages in that case. Packages
> > included on the boot medium don't need to be checked if the boot medium
> > is trusted, but of course it doesn't hurt to verify those too if it's
> > easier to program that way.  
> 
> It's hard to figure out how these are more trustable than downloaded
> packages, given that using boot media that wasn't downloaded is a very
> rare way to install Fedora.

DVD images have usually been published together with a file of
checksums, and I hope that practice will continue. The DVD image can be
verified with the checksum. The checksum can be verified with the PGP
signature on the checksum file. The signature is made with the Fedora
project's release key. The release key can be downloaded from Fedora's
server over HTTPS. The HTTPS session is secured with an X.509 key that
belongs to Red Hat. The X.509 key is certified by a CA key that belongs
to Geotrust. The CA key is certified by Geotrust's root CA key.

The question is then how the user acquired a copy of the root CA
certificate. In many cases it was included with an operating system
that was already installed when the user bought the computer, much
like how the platform key for Secure Boot is already installed when the
user buys the computer. In other cases the root CA certificate came
with a browser or an OS that the user downloaded, perhaps in an
insecure way. We can't control this, so it may be considered a weak
link in the chain.

I'll agree that most users probably don't verify their DVD images as it
takes some manual work to do it properly, so that's another weak link,
but the possibility does exist for those of us who care enough about
our security. When Anaconda downloads packages, on the other hand, they
will often be transferred over insecure HTTP or FTP, and the user isn't
given a chance to verify them manually before they're installed.

The presence of one or two weak links in the chain is a very poor
excuse for omitting another link altogether.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130108/2b96ed35/attachment.sig>

More information about the devel mailing list