On Mon, 22 Feb 2016 16:48:29 +0000 Gregory Maxwell <gmaxwell@xxxxxxxxx> wrote: > On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik > <mrsam@xxxxxxxxxxxxxxx> wrote: > > One has to jump into the installation guide, in order to find a > > buried link to https://getfedora.org/verify > > The instructions here have you download a set of PGP keys from the > same https webserver which could have been compromised to give you bad > download instructions. > > The Fedora 24 key inside it is not signed by any other key. (And even > if it were, no instruction is given to verify the key authenticity; > nor to seek out signatures on the key elsewhere (there is one on the > MIT key servers, but it does no good to users following these > instructions)). > > This is security theater Well, I agree the instructions could do better, but how would that help if the site was compromised? The attackers would write their own instructions. In addition to the verify link, the https://getfedora.org/en/keys/faq/ needs a good going over. Pointing people to the sks keyservers to download the key would be nice and asking them to check the signatures for a web of trust link would be great, but I am not sure how many people would care to do that or have any links there. > I've previously complained that Fedora PGP keys are unsigned, > otherwise unauthenticated, and shipped in the same location as the > potentially compromised binaries; and that the verification does > nothing to improve security against compromise of the main download > site, or MITM near enough to it on the network to get a https cert... > to no effect before. If the site is compromised how would any of that help? > Authenticating keys is hard in general; but existing fedora users > should at least be able to trust-on-first-use chain from earlier keys > to later ones-- assuming the fedora keys are kept offline and not > compromised-- and the instructions should have them verify > accordingly. But this would require the keys being shipped are signed > with prior releases key (or some static key signing key), and existing > users being told to check for that. It would also be preferable if the > keys were distributed on a separate server on a different network, so > that https would protect users that didn't/couldn't verify the > authenticity of the downloaded keys. This is already done somewhat... the fedora-repos package has all the keys in it from the time it was last updated. So, if you have a fedora install you can check the key in fedora-repos. However, that still doesn't get around the fact that the anchor of trust here is the ca certificate system, or I suppose, best case it would be a web of trust link back to the gpg key, but the web of trust is not that expansive and random users who don't care about gpg likely wouldn't have any links into the Fedora web of trust. kevin
Attachment:
pgpzi15901a8o.pgp
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
