Proposed F19 Feature: Package Signature Checking During Installation

[Florian Weimer]

On 01/09/2013 04:09 PM, Peter Jones wrote:

>> It just occurred to me that this has zero chance of working because
>> an attacker can always take the already-signed boot path from the
>> F18 installer and use that to boot a modified F19 installation
>> image.   We cannot retroactively add these checks to the F18
>> installation images (or F18 installations).  We could theoretically
>> revoke the signatures on the F18 binaries, but this would not go
>> well with our users.
>
> Sure; the intent here is to allow the images to validate the repos.

And this is a fine thing to do.  We should probably change yum to 
download the repomd.xml file over HTTPS from a centralized, 
Fedora-managed server with certificate checking, and verify the hash 
chain leading to the RPMs.  This way, users won't install outdated 
packages from a bad mirror.  (This applies post-installation as well.)

I do agree that this is important work.  As far as I can tell, it's 
completely independent of Secure Boot, so it has a chance of working well.

> As it stands you still need to verify that your netinst.iso (or
> whatever) boot image is what you mean to be using.  There are ways we
> can address that, but it's not the problem I'm trying to solve with this
> particular feature.

Fair enough.  A special client which downloads the actual installation 
media from the mirror network and the verification hash from a project 
server over HTTPS shouldn't be too hard to write and could provide 
out-of-band verification.  (This could be a Firefox add-on, for example, 
to provide users with a trust root.)

-- 
Florian Weimer / Red Hat Product Security Team