Re: System upgrade verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jonathan Ryshpan wrote:
> To upgrade from Fedora-37 to Fedora-38 the instructions
> (https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/) sa
> y:
>    ...
>    5. When the new GPG key is imported, you are asked to verify the key’s
>    fingerprint. Refer to https://getfedora.org/security to do so.
> Which  never happened. I have continued with the upgrade. Is this safe?

Short answer: Yes.

Long answer: While it's good to verify things, it's not a
large risk if you skipped it.  The fedora-gpg-keys package
ships the signing keys for new releases.  That is when used
by the upgrade process to install the key for the new
release.

Let's say you started with Fedora 36 and did a clean
install.  You download the install image and verify it.
Once installed, all the package updates are checked using
the Fedora 36 signing key.  That includes updates to the
fedora-gpg-keys package.

When you eventually upgrade to either Fedora 37 or 38, the
upgrade process uses the signing key from the local disk,
which has already been verified by the package signature of
the current release.

There's a clear chain from the Fedora 36 key to the Fedora
38 key in this case.  Unless the Fedora infrastructure has
been badly compromised, you're perfectly safe to perform the
system upgrade without manually verifying the key
fingerprints.  It doesn't hurt to verify them, but it's not
the end of the world if you don't.

And if the Fedora infrastructure is compromised, then
checking the fingerprints on what might be a compromised web
site isn't really going to help. :)

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux