On 5 May 2013, at 20:31, Chris Adams wrote:
Once upon a time, Lars Seipel <lars.seipel@xxxxxxxxx> said:
- the checksums for netinstall images are signed with a Fedora key
- the corresponding public key is made available through https
- therefore the integrity of installer images can be verified
That's only verifiable after the fact (when you want to use the
installer) if you burn to CD/DVD (which I believe is less common these
days). If you put it on a USB stick with something like
livecd-iso-to-disk it gets changed.
That also doesn't protect against malicious updates.img from the
install
server.
In any case, I was talking about validation _during_ install, not
prior
to install. How many people compare the ISO checksum and the
signature
on the checksum file? AFAIK there is not automated tool to do
that, so
it is a bunch of manual steps.
Sure, the steps are manual: download iso, download checksum file,
verify signature on checksum file, verify checksum on iso. Once I've
done that, though, I have a reasonable expectation that the iso --
and anaconda, the keys and rpms on it -- are good. And I only have
to do those steps once per release image, not every time I install a
system. I know that the images that I stored on my local repo server
are ones that I have previously checked.
Whether I then put that image on an USB stick, or mount it on a local
network server, or stick it in a DVD drive, I trust that image and
its contents as much as I trust anything coming from the Fedora project.
For me, though, the real head scratcher is this: the keys on that
iso are the ones that yum will use to verify signatures on updates --
why are they trustworthy enough for that, but not for verifying
signatures on rpms downloaded via netinstall or additional repos
configured in the DVD's installation source spoke? Makes no sense to
me.
To bring this back around to the topic of this thread, this is the
reason that I've continued to use the DVD for installations, and then
do a yum upgrade afterwards. It is the only way that I know to
ensure that all installed rpms are actually verified.
--
Mike
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel