Proposed F19 Feature: Package Signature Checking During Installation
Florian Weimer
fweimer at redhat.com
Wed Jan 9 10:55:42 UTC 2013
On 01/08/2013 07:15 PM, Peter Jones wrote:
> On Tue, Jan 08, 2013 at 11:04:30AM -0500, Steve Clark wrote:
>>
>> What about repins? I want to add my own custom package that is not signed and create a new CD with a custom ks.cfg.
>> How would that work?
>
> You'd generate your own key, and people using your packages, who have
> presumably decided they trust that you're really you through some other
> method, would enrol your key in the MoK list on the machine. Alternately
> you can pay $99 (one time only) and get your keys signed by something the
> machine already trusts.
I don't think this is how it works. Earlier descriptions confirm what
you wrote, but to my knowledge, they do not describe the actual process.
The $99 certificate is used to authenticate to Microsoft only, and
Microsoft produces a completely unrelated signature on the blob you
submit, using a certificate of their own. Without this additional step,
the $99 certificate is just as good as any other. A new blessing has to
be obtained for every new blob.
You'd also have to rebuild the entire chain, which is quite a bit of
effort just for a custom kickstart configuration.
I don't think relying on Secure Boot is the best way to secure the
installation path. Theoretically, it is feasible, but it will always be
brittle. Those who cannot use Secure Boot (because they lack the
hardware or rely on kernel features disabled by Secure Boot) should have
access to a secure installation path, too.
--
Florian Weimer / Red Hat Product Security Team
More information about the devel
mailing list