Proposed F19 Feature: Package Signature Checking During Installation
Florian Weimer
fweimer at redhat.com
Thu Jan 10 13:12:07 UTC 2013
On 01/09/2013 04:09 PM, Peter Jones wrote:
>> It just occurred to me that this has zero chance of working because
>> an attacker can always take the already-signed boot path from the
>> F18 installer and use that to boot a modified F19 installation
>> image. We cannot retroactively add these checks to the F18
>> installation images (or F18 installations). We could theoretically
>> revoke the signatures on the F18 binaries, but this would not go
>> well with our users.
>
> Sure; the intent here is to allow the images to validate the repos.
And this is a fine thing to do. We should probably change yum to
download the repomd.xml file over HTTPS from a centralized,
Fedora-managed server with certificate checking, and verify the hash
chain leading to the RPMs. This way, users won't install outdated
packages from a bad mirror. (This applies post-installation as well.)
I do agree that this is important work. As far as I can tell, it's
completely independent of Secure Boot, so it has a chance of working well.
> As it stands you still need to verify that your netinst.iso (or
> whatever) boot image is what you mean to be using. There are ways we
> can address that, but it's not the problem I'm trying to solve with this
> particular feature.
Fair enough. A special client which downloads the actual installation
media from the mirror network and the verification hash from a project
server over HTTPS shouldn't be too hard to write and could provide
out-of-band verification. (This could be a Firefox add-on, for example,
to provide users with a trust root.)
--
Florian Weimer / Red Hat Product Security Team
More information about the devel
mailing list