Miroslav Suchý wrote: > All Fedora's GPG key - starting with Fedora 27 - are now stored in fedoraproject.org DNS record and can be verified > using DNSSEC. > > Why? How it can be used? That is long story and you can read about it in my blog entry: > http://miroslav.suchy.cz/blog/archives/2021/02/11/verify_package_gpg_signature_using_dnssec/index.html More checking doesn't hurt, but mostly this looks like a different solution to a problem that Fedora already has a solution to. The changes to DNF aren't an answer to the question in your blog post: > But how to fetch the very first GPG key? The first key that gets imported to RPM is included in the installation image and gets installed along with the rest of the system, but that's not the very first key. The very first OpenPGP key is the one you need to verify the installation image before you start the installation. (Okay, technically the same key is used for both purposes, but that's an irrelevant detail.) If you install from a malicious installation image, then your Fedora system is already compromised before DNF has a chance to look up any key. On the other hand, once the image is verified you can trust its contents, including the keys that will later be used to verify downloaded packages. (Assuming of course that you can trust the computer you used to verify the image, and the USB memory you write it to. It's trust all the way down.) Verifying the installation image isn't a thing that RPM and DNF can help you with. That may well need to happen on a non-RPM-based system. What would help is if GnuPG could fetch and verify the key automatically. (It would also help if we had detached OpenPGP signatures of the images so we could skip the sha256sum step.) According to the manual, GnuPG can look up keys in DNS in various ways, but it tries only Web Key Directory by default. I think therefore that the greatest advantage of publishing the keys in DNS is that it can help with verifying installation images, but it might be even better to publish them in a Web Key Directory. Björn Persson
Attachment:
pgpTTSdA8Oqth.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
