On Sat, Feb 13, 2021 at 12:15:14AM +0100, Björn Persson wrote: > > The first key that gets imported to RPM is included in the installation > image and gets installed along with the rest of the system, but that's > not the very first key. The very first OpenPGP key is the one you need > to verify the installation image before you start the installation. > (Okay, technically the same key is used for both purposes, but that's > an irrelevant detail.) > > If you install from a malicious installation image, then your Fedora > system is already compromised before DNF has a chance to look up any > key. On the other hand, once the image is verified you can trust its > contents, including the keys that will later be used to verify > downloaded packages. (Assuming of course that you can trust the computer > you used to verify the image, and the USB memory you write it to. It's > trust all the way down.) > > Verifying the installation image isn't a thing that RPM and DNF can help > you with. That may well need to happen on a non-RPM-based system. What > would help is if GnuPG could fetch and verify the key automatically. (It > would also help if we had detached OpenPGP signatures of the images so > we could skip the sha256sum step.) According to the manual, GnuPG can > look up keys in DNS in various ways, but it tries only Web Key Directory > by default. I think therefore that the greatest advantage of publishing > the keys in DNS is that it can help with verifying installation images, > but it might be even better to publish them in a Web Key Directory. I'd not oppose making verification easier, but I think we really need to try and find a better solution than gpg. No offense to all the hard work thats gone into it, it's just... not something you can expect non geeks to bother with or figure out usually. For windows and macos, we have fedora media writer. Of course they would then need to verify _that_ It's really not an easy problem. :( kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
