Re: yum/RPM and Trust on First Use

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 12/19/2015 02:12 AM, Gordon Messmer wrote:
On 12/15/2015 07:05 PM, Alice Wonder wrote:
The first time yum installs a package, it asks to import the GPG key
used to sign the packages. Most people accept without validating the key.

While that is true, it is important to note that yum will only import
keys that are already installed on disk, in /etc/pki/rpm-gpg.  Which
means that only keys that were *previously* installed from a trusted
source can be added to the trust database. Initially, that set comes
from your install media.  Assuming that you verified the sum of the
media you used for installation, this is a reasonably secure mechanism.


With third party repositories the key and configuration file is often distributed separately. That's the potential attack vector for trojan keys.



If you're going to verify the key against a DNS record for every package
you install, forever, why have a GPG keyring at all?

Well I'm not a big fan of GPG keyrings to be honest, it is a difficult system for users and contains abandoned keys and compromised keys that aren't revoked because the owner can't revoke them if they lost their private key.

DNS verification solves that issue.

--
-=-
Sent my from my laptop, may not be able to respond timely
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux