Should Fedora rpms be signed?

Nils Philippsen nphilipp at redhat.com
Fri Oct 29 13:35:28 UTC 2004


On Fri, 2004-10-29 at 08:56 -0400, John Burton wrote:
> Nils Philippsen wrote:
> 
> [...snip...]
> 
> >I still don't see how signing a package makes it more trustworthy than
> >signing the repo metadata. Signing a package gives me some amount of
> >trust in its origin, not its quality or whatever.
> >
> >  
> >
> Jumping into this discussion face first...
> As you said, signing a package gives you some amount of trust in its 
> origin.  The trust in its quality is derived from the reputation of the 
> origin, i.e. I would "trust" the quality of a package signed by RedHat 
> before I would "trust" the quality of a package signed by Joe Schmo from 
> xyz. But that "trust" in the RedHat quality would probably be damaged if 
> they were to "sign" pre-release (rawhide) packages. So, releases should 
> be signed, tests should not.

And this assumption is wrong. A signature on a package is absolutely not
correlated to the quality of it. To ease the burden on people's
brains ;-) we have different keys for RHEL, Fedora, final, beta, Rawhide
and whatnot. Therefore there is some kind of weak correlation between
the key used to sign the package and the package's quality. People that
import the Rawhide key should know that it might hose their systems, if
they're not aware of that fact they'd better erase it from their systems
(e.g. "rpm -e gpg-pubkey-e418e3aa-3f439953 gpg-pubkey-1cddbca9-3f9da14c"
would erase the Rawhide keys from my system).

> As far as signing packages vs. signing meta-data... Digital signatures 
> are like real signatures, you want to make sure they are actually 
> attached to what you are signing. If there is a chance that package that 
> the signed meta-data represents can be changed without  invalidating the 
> signature, then you've lost the authentication power of the signature. 
> In the non-digital world, you sign each page of a contract, not a 
> seperate blank page attached to the contract. Signing a blank page is 
> meaningless...

ACK.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011




More information about the test mailing list