Re: More prominent link to verification hashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote:
> One has to jump into the installation guide, in order to find a buried link
> to https://getfedora.org/verify

The instructions here have you download a set of PGP keys from the
same https webserver which could have been compromised to give you bad
download instructions.

The Fedora 24 key inside it is not signed by any other key. (And even
if it were, no instruction is given to verify the key authenticity;
nor to seek out signatures on the key elsewhere (there is one on the
MIT key servers, but it does no good to users following these
instructions)).

This is security theater.

I've previously complained that Fedora PGP keys are unsigned,
otherwise unauthenticated, and shipped in the same location as the
potentially compromised binaries; and that the verification does
nothing to improve security against compromise of the main download
site, or MITM near enough to it on the network to get a https cert...
to no effect before.

Authenticating keys is hard in general; but existing fedora users
should at least be able to trust-on-first-use chain from earlier keys
to later ones-- assuming the fedora keys are kept offline and not
compromised-- and the instructions should have them verify
accordingly.  But this would require the keys being shipped are signed
with prior releases key (or some static key signing key), and existing
users being told to check for that. It would also be preferable if the
keys were distributed on a separate server on a different network, so
that https would protect users that didn't/couldn't verify the
authenticity of the downloaded keys.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux