Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Allen Kistler
an037-ooai8 at yahoo.com
Tue Nov 24 21:57:30 UTC 2009
Jesse Keating wrote:
> Well, if you have to use a tool from the project, to verify other bits
> from the project, the verification just became a lot less trusted. If
> you don't trust the bits you got from the project, why would you trust
> the tool the project gives you to verify the bits? "Here use this tool
> to verify our bits. Trust us, we swear!"
I have the same opinion of signing the page with the hashes. The pages
that list the hashes for F12 are:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
They are PGP-signed using *self-signed* keys listed in:
https://fedoraproject.org/static/fedora.gpg
One web page is signed using keys on another web page. So someone
1. Downloads the ISOs
2. Checks the hash vs. the web page
3. Checks the signature on the web page vs. a key on another web page
4. Cannot check the key
Unless you want people to:
4. Check the key vs. the one on the ISOs
which gets circular.
If we don't trust the page which has the hashes, why do we trust the
page which has the keys more? If someone can alter the ISOs and then
alter the published hashes to hide their tracks, why not alter the
published keys, as well? Ultimately I'm wondering what problem we're
solving by signing the web page in the first place.
Sign the hash page with a key which descends from a verifiable, trusted
root (even a key signed by the release manager would be better than
self-signed), or don't sign the page. I lean toward not signing, and
IRL I'm a paranoid security guy.
More information about the infrastructure
mailing list