I'm not on the yum / RPM list and I don't know that I want to join just
to discuss this but with respect GPG keys - it is a classic example of
trust on first use.
The first time yum installs a package, it asks to import the GPG key
used to sign the packages. Most people accept without validating the key.
This is potentially exploitable because most repositories are http
What if there was a DNS TXT record that corresponds with the repository,
with the fingerprint of the key?
The DNS record could be DNSSEC secured (I believe Fedora already uses
DNSSEC - some of their servers anyway) and yum could refuse to ask if
the fingerprint of the key it is importing does not match the DNSSEC
secured fingerprint.
Something like TXT record for
_rpmkey.security.centos.org.
could be requested for the fingerprint for security@xxxxxxxxxx
Advantage over gpg keyrings is that it can be implemented by anyone
without needing to manage your keys with specific gpg keyrings, which
has always been messy.
When yum is first asked to import a key, it refuses if it can not DNSSEC
validate the fingerprint.
After it DNSSEC validates the fingerprint, it can then does what it
currently does, where the user can verify they trust the key.
To get a fingerprint in the centos.org zone and signed by DNSSEC would
not be easy for a malicious packager to do.
Furthermore when a signing key has been compromised (happened with
Fedora once) changing the DNS record would prevent the key from being
imported in the future, and could even prevent packages signed by that
key from being installed in the future even if the key is already imported.
For offline yum usage, a switch could be used to tell yum not to do the
DNS lookup and DNSSEC validation.
Thoughts?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
