Peter Jones wrote: > On Tue, Jan 08, 2013 at 05:46:04PM +0100, Björn Persson wrote: > > In my opinion, if Anaconda finds that it was booted without Secure > > Boot, then it should assume that the user has verified the checksum on > > the installation image and that the keys therein are therefore trusted, > > and use those keys to verify any packages it downloads. > > Feel free to submit a feature for this and patches for it if you feel > it's appropriate to do so. I want to, it's just that if I'd try to actually do everything I want to do I'd spread myself so thin that I'd never get anything done at all. > I don't happen to think it is, so I'm not going to. Do you think anything is gained security-wise by omitting the signature checking? Is the installation more secure if the packages aren't verified at all than if they are verified against an uncertain root of trust? Or does it take more programming work to do the same checking in all cases than it takes to enable or disable the checking depending on whether Secure Boot was used? > > It's enough to verify downloaded packages in that case. Packages > > included on the boot medium don't need to be checked if the boot medium > > is trusted, but of course it doesn't hurt to verify those too if it's > > easier to program that way. > > It's hard to figure out how these are more trustable than downloaded > packages, given that using boot media that wasn't downloaded is a very > rare way to install Fedora. DVD images have usually been published together with a file of checksums, and I hope that practice will continue. The DVD image can be verified with the checksum. The checksum can be verified with the PGP signature on the checksum file. The signature is made with the Fedora project's release key. The release key can be downloaded from Fedora's server over HTTPS. The HTTPS session is secured with an X.509 key that belongs to Red Hat. The X.509 key is certified by a CA key that belongs to Geotrust. The CA key is certified by Geotrust's root CA key. The question is then how the user acquired a copy of the root CA certificate. In many cases it was included with an operating system that was already installed when the user bought the computer, much like how the platform key for Secure Boot is already installed when the user buys the computer. In other cases the root CA certificate came with a browser or an OS that the user downloaded, perhaps in an insecure way. We can't control this, so it may be considered a weak link in the chain. I'll agree that most users probably don't verify their DVD images as it takes some manual work to do it properly, so that's another weak link, but the possibility does exist for those of us who care enough about our security. When Anaconda downloads packages, on the other hand, they will often be transferred over insecure HTTP or FTP, and the user isn't given a chance to verify them manually before they're installed. The presence of one or two weak links in the chain is a very poor excuse for omitting another link altogether. Björn Persson
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
