Hi,
if you approach the question of where to anchor your trust from too
broad perspective you end up with no other option but throwing your
computer out of the window (joking, don't do that).
This system has other advantages as well:
* it can automatically install keys for 3rd party repos and verify
them using the DNSSEC trust anchor which is preinstalled on the system
* it can help in case of revocation as there is currently no way to do
that automatically
* Except for some corner cases I expect all RPM repo providers to have
a DNS domain which can be used to store the key, so there is no
additional software required
The main disadvantage of the system is that it uses DNS and that is
unfortunately very unreliable.
Martin Sehnoutka
On 2/13/21 12:15 AM, Björn Persson wrote:
Miroslav Suchý wrote:
All Fedora's GPG key - starting with Fedora 27 - are now stored in fedoraproject.org DNS record and can be verified
using DNSSEC.
Why? How it can be used? That is long story and you can read about it in my blog entry:
http://miroslav.suchy.cz/blog/archives/2021/02/11/verify_package_gpg_signature_using_dnssec/index.html
More checking doesn't hurt, but mostly this looks like a different
solution to a problem that Fedora already has a solution to. The
changes to DNF aren't an answer to the question in your blog post:
But how to fetch the very first GPG key?
The first key that gets imported to RPM is included in the installation
image and gets installed along with the rest of the system, but that's
not the very first key. The very first OpenPGP key is the one you need
to verify the installation image before you start the installation.
(Okay, technically the same key is used for both purposes, but that's
an irrelevant detail.)
If you install from a malicious installation image, then your Fedora
system is already compromised before DNF has a chance to look up any
key. On the other hand, once the image is verified you can trust its
contents, including the keys that will later be used to verify
downloaded packages. (Assuming of course that you can trust the computer
you used to verify the image, and the USB memory you write it to. It's
trust all the way down.)
Verifying the installation image isn't a thing that RPM and DNF can help
you with. That may well need to happen on a non-RPM-based system. What
would help is if GnuPG could fetch and verify the key automatically. (It
would also help if we had detached OpenPGP signatures of the images so
we could skip the sha256sum step.) According to the manual, GnuPG can
look up keys in DNS in various ways, but it tries only Web Key Directory
by default. I think therefore that the greatest advantage of publishing
the keys in DNS is that it can help with verifying installation images,
but it might be even better to publish them in a Web Key Directory.
Björn Persson
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
