> > > The pointlessness is why I started off by saying a valid GPG signature > makes checking the MS5sum unnecessary. (ie: only check step 1 above, all > the rest is unnecessary.) > > The more paranoid method I describe checks for inconsistencies between > the SRPM and other documentation on the SRPM (same person signed both > files which seem to both refer to the same SRPM. A double check.) In > the real world, if someone could compromise an SRPM on a server, they > could probably also compromise the md5sum file. > > This stems from a piece of my original post which you snipped which > states that I was testing fedora-startqa and it verified the SRPM GPG > but then errored out because the MD5sum file wasn't up-to-date (and so > couldn't find the SRPM listed there.) From your comments here, I think > you're planning on removing the md5sum checking so this problem is going > away. > > > You still haven't necessarily verified the gpg signature against a web > > of trust, which is FAR more likely to be the source of a problem. I'm > > not really involved with any of these (webs of trust), but when we > > convert the script over to checking RPM sigs using GPG (imminent) we can > > indicate whether or not the signature that passed was a "trusted" one in > > your review accounts gpg keyring. > > > Yes, distributing trust is the real tricky problem of gpg. > Cool. Looks like we are on the same page here then. My current inclination is to require a valid gpg signature, but check md5sums if possible and note to the user if anything is inconsistent. It certainly wouldn't hurt to also check that the md5sums they are signed by the same key as the SRPM, although I doubt many crooks will be caught by it :) --erik
