On Thu, Jan 10, 2013 at 8:41 PM, Adam Jackson <ajax@xxxxxxxxxx> wrote: > For the same reason Firefox doesn't automatically accept self-signed SSL > certs, and the same reason that ssh doesn't automatically accept new > host keys: it'd be creating trust from thin air. With secure boot > disabled there's no root of trust for verification. You could verify > that the signatures were _valid_, but you'd have no grounds to conclude > from their validity that the signatures were the ones put there by The > Fedora Project, and therefore that the package contains the data that > The Fedora Project intended it to contain. You'd only know that the key > the repo says signed the packages did in fact sign the packages. > > That's not security. That's theatre. Let's be a little more precise. - For _Fedora_ repositories (the release repository and the updates repository), we *can* ship the public key inside the installer iso image. As has been established in this thread, authenticating the ISO is necessary in any case; that would also provide a full "trust path" to the Fedora repository and packages contained within. No Secure Boot required. Having this sounds like a nice security improvement that would IMHO be worth doing. I'd expect it to be a little difficult to make a good UI for this: Wwe can enable GPG checking by default for the repository configuration shipped on the ISO; but if the user adds a repo manually we would/would not want to enable GPG checking depending on whether the repository is/isn't a "Fedora" one. Also the UI of explaining to the user that signatures are not verified if a third-party repo is added would probably be tricky. - For _third-party_ repositories, the root of trust can't come from the installer iso image. AFAICS _this_ is the primary benefit of the Secure Boot support - it allows third parties to authenticate their repositories. A caveat here is that it allows _any_ such third parties to authenticate repositories. Microsoft? Accepted. Oracle Solaris OS group? Accepted. In particular - this is not clear from the feature page - if any vendor that is able to sign MS drivers is included, that's _quite a few_ third parties. Realtek, who has had a signature stolen by Stuxnet authors? Accepted. So the Secure Boot chain of trust doesn't really allow you to blindly install software no more than MS Authenticode allows you to blindly run ActiveX plugins. Still, it's definitely better than what we have now. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
