Creating a trusted sha256sum.exe binary for verifying *-CHECKSUM files on Windows
Todd Zullinger
tmz at pobox.com
Tue Nov 24 22:27:11 UTC 2009
Allen Kistler wrote:
> I have the same opinion of signing the page with the hashes. The pages
> that list the hashes for F12 are:
>
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
> https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
>
> They are PGP-signed using *self-signed* keys listed in:
>
> https://fedoraproject.org/static/fedora.gpg
>
> One web page is signed using keys on another web page. So someone
>
> 1. Downloads the ISOs
> 2. Checks the hash vs. the web page
> 3. Checks the signature on the web page vs. a key on another web page
> 4. Cannot check the key
>
> Unless you want people to:
>
> 4. Check the key vs. the one on the ISOs
>
> which gets circular.
>
> If we don't trust the page which has the hashes, why do we trust the
> page which has the keys more? If someone can alter the ISOs and
> then alter the published hashes to hide their tracks, why not alter
> the published keys, as well? Ultimately I'm wondering what problem
> we're solving by signing the web page in the first place.
>
> Sign the hash page with a key which descends from a verifiable,
> trusted root (even a key signed by the release manager would be
> better than self-signed), or don't sign the page. I lean toward not
> signing, and IRL I'm a paranoid security guy.
To be fair, the *-CHECKSUM files were only added to
https://fedoraproject.org/static/checksums/ recently (F-11). And they
are still widely available via mirrors and bit torrent. The GPG
signatures are quite useful for anyone downloading the CHECKSUM files
by those methods.
I don't mind that the GPG keys are role keys and are not signed by
(m)any other keys (though Jesse has signed some of them in the past).
Using SSL to get the keys seems reasonable to me. All trust has to
start somewhere.
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some of the narrowest minds are found in the fattest heads.
-- Anonymous
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-infrastructure-list/attachments/20091124/cd2cc3e1/attachment.sig>
More information about the Fedora-infrastructure-list
mailing list