Re: Preventing supply chain attacks via rekor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11.06.2021 09:42, Huzaifa Sidhpurwala wrote:
One possible step in this direction is the ability to ensure that there is no distribution point tampering of binaries shipped in Fedora.

All RPM packages are already digitally signed by Fedora GPG keys. No further actions is required.

If someone MITM replaces the RPM package, it will fail the gpg signature check and will not be installed.

--
Sincerely,
  Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux