Fedora still doesn't sign its repo data?
Kevin Fenzi
kevin at scrye.com
Tue Aug 19 17:26:28 UTC 2014
On Tue, 19 Aug 2014 16:05:12 +0000
Joonas Lehtonen <joonas.lehtonen at bitmessage.ch> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> >>> It's logistically difficult to sign the repodata... but of
> >>> course it could be done.
>
> Has someone tried to get this done/accepted before?
Not sure what you mean fully by that, but it's been talked about
before. If you're really interested in it propose it to release
engineering and offer to work on needed code/etc.
The big downside is that it means the updates compose would stop at the
very end and need to have the repodata signed before it could be pushed
out, so it means someone would have to not only sign packages before a
updates push, but come back many hours later and sign the repodata too.
I'm sure it would need bodhi changes, possibly mash changes, possibly
changes to the signing tools.
> >> Is there any kind of certificate pinning in place when verifying
> >> the certificate of https://mirrors.fedoraproject.org or can the
> >> certificate be from any trusted CA?
> >
> > I'm not sure. Yum (and dnf) uses python-urlgrabber, which uses
> > urlgrabber, which uses curl. So, it would depend on the default
> > curl config.
>
> So we could take advantage of the environment variable named
> 'CURL_CA_BUNDLE' to feed it with the issuing CA of
> https://mirrors.fedoraproject.org 's certificate.
I suppose, sure. Or it might be a slightly different env for
urlgrabber... not sure.
> Has fedora a policy where it gets its certificates from?
> Is it always DigiCert?
No, it was another registrar until last year. It hasn't changed often
though.
> Until curl gets DANE support we could use 'CURL_CA_BUNDLE' as a poor
> men's CA pinning?
>
> http://curl.haxx.se/docs/todo.html#Support_DANE
Sure.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20140819/78267eb9/attachment.sig>
More information about the users
mailing list