Re: System upgrade verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, May 17, 2023 at 9:43 PM Todd Zullinger <tmz@xxxxxxxxx> wrote:
>
> Jonathan Ryshpan wrote:
> > To upgrade from Fedora-37 to Fedora-38 the instructions
> > (https://docs.fedoraproject.org/en-US/quick-docs/dnf-system-upgrade/) sa
> > y:
> >    ...
> >    5. When the new GPG key is imported, you are asked to verify the key’s
> >    fingerprint. Refer to https://getfedora.org/security to do so.
> > Which  never happened. I have continued with the upgrade. Is this safe?
>
> Short answer: Yes.
>
> Long answer: While it's good to verify things, it's not a
> large risk if you skipped it.  The fedora-gpg-keys package
> ships the signing keys for new releases.  That is when used
> by the upgrade process to install the key for the new
> release.
>
> Let's say you started with Fedora 36 and did a clean
> install.  You download the install image and verify it.
> Once installed, all the package updates are checked using
> the Fedora 36 signing key.  That includes updates to the
> fedora-gpg-keys package.
>
> When you eventually upgrade to either Fedora 37 or 38, the
> upgrade process uses the signing key from the local disk,
> which has already been verified by the package signature of
> the current release.
>
> There's a clear chain from the Fedora 36 key to the Fedora
> 38 key in this case.  Unless the Fedora infrastructure has
> been badly compromised, you're perfectly safe to perform the
> system upgrade without manually verifying the key
> fingerprints.  It doesn't hurt to verify them, but it's not
> the end of the world if you don't.
>
> And if the Fedora infrastructure is compromised, then
> checking the fingerprints on what might be a compromised web
> site isn't really going to help. :)

This always baffles me... Fedora includes irrelevant keys. For
example, old keys and keys for different arches. Something feels wrong
about trusting them.

$ ls /etc/pki/rpm-gpg
RPM-GPG-KEY-38-fedora            RPM-GPG-KEY-fedora-26-i386
RPM-GPG-KEY-fedora-10-i386       RPM-GPG-KEY-fedora-26-ppc64
RPM-GPG-KEY-fedora-10-ppc        RPM-GPG-KEY-fedora-26-ppc64le
RPM-GPG-KEY-fedora-10-ppc64      RPM-GPG-KEY-fedora-26-primary
RPM-GPG-KEY-fedora-10-primary    RPM-GPG-KEY-fedora-26-s390x
RPM-GPG-KEY-fedora-10-x86_64     RPM-GPG-KEY-fedora-26-secondary
RPM-GPG-KEY-fedora-11-i386       RPM-GPG-KEY-fedora-26-x86_64
RPM-GPG-KEY-fedora-11-ppc        RPM-GPG-KEY-fedora-27-aarch64
RPM-GPG-KEY-fedora-11-ppc64      RPM-GPG-KEY-fedora-27-armhfp
RPM-GPG-KEY-fedora-11-primary    RPM-GPG-KEY-fedora-27-i386
RPM-GPG-KEY-fedora-11-x86_64     RPM-GPG-KEY-fedora-27-ppc64
RPM-GPG-KEY-fedora-12-i386       RPM-GPG-KEY-fedora-27-ppc64le
RPM-GPG-KEY-fedora-12-ppc        RPM-GPG-KEY-fedora-27-primary
RPM-GPG-KEY-fedora-12-ppc64      RPM-GPG-KEY-fedora-27-s390x
RPM-GPG-KEY-fedora-12-primary    RPM-GPG-KEY-fedora-27-x86_64
RPM-GPG-KEY-fedora-12-x86_64     RPM-GPG-KEY-fedora-28-aarch64
RPM-GPG-KEY-fedora-13-arm        RPM-GPG-KEY-fedora-28-armhfp
RPM-GPG-KEY-fedora-13-armhfp     RPM-GPG-KEY-fedora-28-i386
RPM-GPG-KEY-fedora-13-i386       RPM-GPG-KEY-fedora-28-ppc64
RPM-GPG-KEY-fedora-13-mips       RPM-GPG-KEY-fedora-28-ppc64le
RPM-GPG-KEY-fedora-13-primary    RPM-GPG-KEY-fedora-28-primary
RPM-GPG-KEY-fedora-13-secondary  RPM-GPG-KEY-fedora-28-s390x
RPM-GPG-KEY-fedora-13-x86_64     RPM-GPG-KEY-fedora-28-x86_64
RPM-GPG-KEY-fedora-14-arm        RPM-GPG-KEY-fedora-29-aarch64
RPM-GPG-KEY-fedora-14-i386       RPM-GPG-KEY-fedora-29-armhfp
RPM-GPG-KEY-fedora-14-primary    RPM-GPG-KEY-fedora-29-i386
RPM-GPG-KEY-fedora-14-secondary  RPM-GPG-KEY-fedora-29-ppc64
RPM-GPG-KEY-fedora-14-x86_64     RPM-GPG-KEY-fedora-29-ppc64le
RPM-GPG-KEY-fedora-15-arm        RPM-GPG-KEY-fedora-29-primary
RPM-GPG-KEY-fedora-15-armhfp     RPM-GPG-KEY-fedora-29-s390x
RPM-GPG-KEY-fedora-15-i386       RPM-GPG-KEY-fedora-29-x86_64
RPM-GPG-KEY-fedora-15-ppc        RPM-GPG-KEY-fedora-30-aarch64
RPM-GPG-KEY-fedora-15-ppc64      RPM-GPG-KEY-fedora-30-armhfp
RPM-GPG-KEY-fedora-15-primary    RPM-GPG-KEY-fedora-30-i386
RPM-GPG-KEY-fedora-15-s390       RPM-GPG-KEY-fedora-30-ppc64le
RPM-GPG-KEY-fedora-15-s390x      RPM-GPG-KEY-fedora-30-primary
RPM-GPG-KEY-fedora-15-secondary  RPM-GPG-KEY-fedora-30-s390x
RPM-GPG-KEY-fedora-15-x86_64     RPM-GPG-KEY-fedora-30-x86_64
RPM-GPG-KEY-fedora-16-arm        RPM-GPG-KEY-fedora-31-aarch64
RPM-GPG-KEY-fedora-16-armhfp     RPM-GPG-KEY-fedora-31-armhfp
RPM-GPG-KEY-fedora-16-i386       RPM-GPG-KEY-fedora-31-i386
RPM-GPG-KEY-fedora-16-ppc        RPM-GPG-KEY-fedora-31-ppc64le
RPM-GPG-KEY-fedora-16-ppc64      RPM-GPG-KEY-fedora-31-primary
RPM-GPG-KEY-fedora-16-primary    RPM-GPG-KEY-fedora-31-s390x
RPM-GPG-KEY-fedora-16-s390       RPM-GPG-KEY-fedora-31-x86_64
RPM-GPG-KEY-fedora-16-s390x      RPM-GPG-KEY-fedora-32-aarch64
RPM-GPG-KEY-fedora-16-secondary  RPM-GPG-KEY-fedora-32-armhfp
RPM-GPG-KEY-fedora-16-x86_64     RPM-GPG-KEY-fedora-32-i386
RPM-GPG-KEY-fedora-17-arm        RPM-GPG-KEY-fedora-32-ppc64le
RPM-GPG-KEY-fedora-17-armhfp     RPM-GPG-KEY-fedora-32-primary
RPM-GPG-KEY-fedora-17-i386       RPM-GPG-KEY-fedora-32-s390x
RPM-GPG-KEY-fedora-17-ppc        RPM-GPG-KEY-fedora-32-x86_64
RPM-GPG-KEY-fedora-17-ppc64      RPM-GPG-KEY-fedora-33-aarch64
RPM-GPG-KEY-fedora-17-primary    RPM-GPG-KEY-fedora-33-armhfp
RPM-GPG-KEY-fedora-17-s390       RPM-GPG-KEY-fedora-33-i386
RPM-GPG-KEY-fedora-17-s390x      RPM-GPG-KEY-fedora-33-ppc64le
RPM-GPG-KEY-fedora-17-secondary  RPM-GPG-KEY-fedora-33-primary
RPM-GPG-KEY-fedora-17-x86_64     RPM-GPG-KEY-fedora-33-s390x
RPM-GPG-KEY-fedora-18-arm        RPM-GPG-KEY-fedora-33-x86_64
RPM-GPG-KEY-fedora-18-armhfp     RPM-GPG-KEY-fedora-34-aarch64
RPM-GPG-KEY-fedora-18-i386       RPM-GPG-KEY-fedora-34-armhfp
RPM-GPG-KEY-fedora-18-ppc        RPM-GPG-KEY-fedora-34-i386
RPM-GPG-KEY-fedora-18-ppc64      RPM-GPG-KEY-fedora-34-ppc64le
RPM-GPG-KEY-fedora-18-primary    RPM-GPG-KEY-fedora-34-primary
RPM-GPG-KEY-fedora-18-s390       RPM-GPG-KEY-fedora-34-s390x
RPM-GPG-KEY-fedora-18-s390x      RPM-GPG-KEY-fedora-34-x86_64
RPM-GPG-KEY-fedora-18-secondary  RPM-GPG-KEY-fedora-35-aarch64
RPM-GPG-KEY-fedora-18-x86_64     RPM-GPG-KEY-fedora-35-armhfp
RPM-GPG-KEY-fedora-19-armhfp     RPM-GPG-KEY-fedora-35-ppc64le
RPM-GPG-KEY-fedora-19-i386       RPM-GPG-KEY-fedora-35-primary
RPM-GPG-KEY-fedora-19-ppc        RPM-GPG-KEY-fedora-35-s390x
RPM-GPG-KEY-fedora-19-ppc64      RPM-GPG-KEY-fedora-35-x86_64
RPM-GPG-KEY-fedora-19-primary    RPM-GPG-KEY-fedora-36-aarch64
RPM-GPG-KEY-fedora-19-s390       RPM-GPG-KEY-fedora-36-armhfp
RPM-GPG-KEY-fedora-19-s390x      RPM-GPG-KEY-fedora-36-ppc64le
RPM-GPG-KEY-fedora-19-secondary  RPM-GPG-KEY-fedora-36-primary
RPM-GPG-KEY-fedora-19-x86_64     RPM-GPG-KEY-fedora-36-s390x
RPM-GPG-KEY-fedora-20-armhfp     RPM-GPG-KEY-fedora-36-x86_64
RPM-GPG-KEY-fedora-20-i386       RPM-GPG-KEY-fedora-37-aarch64
RPM-GPG-KEY-fedora-20-ppc        RPM-GPG-KEY-fedora-37-armhfp
RPM-GPG-KEY-fedora-20-ppc64      RPM-GPG-KEY-fedora-37-ppc64le
RPM-GPG-KEY-fedora-20-primary    RPM-GPG-KEY-fedora-37-primary
RPM-GPG-KEY-fedora-20-s390       RPM-GPG-KEY-fedora-37-s390x
RPM-GPG-KEY-fedora-20-s390x      RPM-GPG-KEY-fedora-37-x86_64
RPM-GPG-KEY-fedora-20-secondary  RPM-GPG-KEY-fedora-38-aarch64
RPM-GPG-KEY-fedora-20-x86_64     RPM-GPG-KEY-fedora-38-ppc64le
RPM-GPG-KEY-fedora-21-aarch64    RPM-GPG-KEY-fedora-38-primary
RPM-GPG-KEY-fedora-21-armhfp     RPM-GPG-KEY-fedora-38-s390x
RPM-GPG-KEY-fedora-21-i386       RPM-GPG-KEY-fedora-38-x86_64
RPM-GPG-KEY-fedora-21-ppc64      RPM-GPG-KEY-fedora-39-aarch64
RPM-GPG-KEY-fedora-21-ppc64le    RPM-GPG-KEY-fedora-39-ppc64le
RPM-GPG-KEY-fedora-21-primary    RPM-GPG-KEY-fedora-39-primary
RPM-GPG-KEY-fedora-21-s390       RPM-GPG-KEY-fedora-39-s390x
RPM-GPG-KEY-fedora-21-s390x      RPM-GPG-KEY-fedora-39-x86_64
RPM-GPG-KEY-fedora-21-secondary  RPM-GPG-KEY-fedora-40-aarch64
RPM-GPG-KEY-fedora-21-x86_64     RPM-GPG-KEY-fedora-40-ppc64le
RPM-GPG-KEY-fedora-22-aarch64    RPM-GPG-KEY-fedora-40-primary
RPM-GPG-KEY-fedora-22-armhfp     RPM-GPG-KEY-fedora-40-s390x
RPM-GPG-KEY-fedora-22-i386       RPM-GPG-KEY-fedora-40-x86_64
RPM-GPG-KEY-fedora-22-ppc64      RPM-GPG-KEY-fedora-7-i386
RPM-GPG-KEY-fedora-22-ppc64le    RPM-GPG-KEY-fedora-7-ppc
RPM-GPG-KEY-fedora-22-primary    RPM-GPG-KEY-fedora-7-ppc64
RPM-GPG-KEY-fedora-22-s390       RPM-GPG-KEY-fedora-7-primary
RPM-GPG-KEY-fedora-22-s390x      RPM-GPG-KEY-fedora-7-x86_64
RPM-GPG-KEY-fedora-22-secondary  RPM-GPG-KEY-fedora-8-i386
RPM-GPG-KEY-fedora-22-x86_64     RPM-GPG-KEY-fedora-8-ppc
RPM-GPG-KEY-fedora-23-aarch64    RPM-GPG-KEY-fedora-8-ppc64
RPM-GPG-KEY-fedora-23-armhfp     RPM-GPG-KEY-fedora-8-primary
RPM-GPG-KEY-fedora-23-i386       RPM-GPG-KEY-fedora-8-primary-original
RPM-GPG-KEY-fedora-23-ppc64      RPM-GPG-KEY-fedora-8-x86_64
RPM-GPG-KEY-fedora-23-ppc64le    RPM-GPG-KEY-fedora-9-i386
RPM-GPG-KEY-fedora-23-primary    RPM-GPG-KEY-fedora-9-ia64
RPM-GPG-KEY-fedora-23-s390       RPM-GPG-KEY-fedora-9-ppc
RPM-GPG-KEY-fedora-23-s390x      RPM-GPG-KEY-fedora-9-ppc64
RPM-GPG-KEY-fedora-23-secondary  RPM-GPG-KEY-fedora-9-primary
RPM-GPG-KEY-fedora-23-x86_64     RPM-GPG-KEY-fedora-9-primary-original
RPM-GPG-KEY-fedora-24-aarch64    RPM-GPG-KEY-fedora-9-secondary
RPM-GPG-KEY-fedora-24-armhfp     RPM-GPG-KEY-fedora-9-x86_64
RPM-GPG-KEY-fedora-24-i386       RPM-GPG-KEY-fedora-eln-aarch64
RPM-GPG-KEY-fedora-24-ppc64      RPM-GPG-KEY-fedora-eln-ppc64le
RPM-GPG-KEY-fedora-24-ppc64le    RPM-GPG-KEY-fedora-eln-primary
RPM-GPG-KEY-fedora-24-primary    RPM-GPG-KEY-fedora-eln-s390x
RPM-GPG-KEY-fedora-24-s390x      RPM-GPG-KEY-fedora-eln-x86_64
RPM-GPG-KEY-fedora-24-secondary  RPM-GPG-KEY-fedora-iot-2019
RPM-GPG-KEY-fedora-24-x86_64     RPM-GPG-KEY-fedora-iot-aarch64
RPM-GPG-KEY-fedora-25-aarch64    RPM-GPG-KEY-fedora-iot-armhfp
RPM-GPG-KEY-fedora-25-armhfp     RPM-GPG-KEY-fedora-iot-i386
RPM-GPG-KEY-fedora-25-i386       RPM-GPG-KEY-fedora-iot-ppc64le
RPM-GPG-KEY-fedora-25-ppc64      RPM-GPG-KEY-fedora-iot-s390x
RPM-GPG-KEY-fedora-25-ppc64le    RPM-GPG-KEY-fedora-iot-x86_64
RPM-GPG-KEY-fedora-25-primary    RPM-GPG-KEY-fedora-modularity
RPM-GPG-KEY-fedora-25-s390x      RPM-GPG-KEY-fedora-rawhide-aarch64
RPM-GPG-KEY-fedora-25-secondary  RPM-GPG-KEY-fedora-rawhide-ppc64le
RPM-GPG-KEY-fedora-25-x86_64     RPM-GPG-KEY-fedora-rawhide-primary
RPM-GPG-KEY-fedora-26-aarch64    RPM-GPG-KEY-fedora-rawhide-s390x
RPM-GPG-KEY-fedora-26-armhfp     RPM-GPG-KEY-fedora-rawhide-x86_64
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux