Should Fedora rpms be signed?

Féliciano Matias feliciano.matias at free.fr
Mon Nov 1 23:43:21 UTC 2004 

Le lundi 01 novembre 2004 à 15:14 -0500, Jeff Spaleta a écrit :
> We can argue about the techical definition of what gpg-signing
> means...as originally conceived in the pgp/gpg methodogy, but is a
> pointless thing to discuss... in the context of rpm package signing.
> rpm package signing is NOT a full implementation of a gpg/pgp signing
> system. rpm's lack of understanding of what a signed key is, greatly
> impacts "trust"
> as a quantifiable concept..and automatically elevates all signd
> packages to the same "trust" status.

The "trust" in gpg, only define the trust about the origin of the key !
_NEVER_ a key will define the "trust" you should put on a package. A
signed package tell the origin of the package. The origin of the package
(with some documentations (QA), reputation of the provider, friend's
advices, ...) tell you if you would take the risk (or not) to install
the package on you system. The decision to install the package, is up to
you. Not to gpg.

You can fully trust my gpg key (because my friends sign my key and you
know my friends), but you should not trust me if I say you : "please,
enter 'rm -r -f /' as root" :-)
The trust in gpg is not an indicator of quality or intelligence.

>  Whereas mature general use
> gpg/pgp implementations know what a sign signature means, and how to
> calculate "trust" from signatures on keys. If you trust me, and i sign
> someone elses key, that key earns a measure of trust from my
> signature. gnupg understands this concept of the web of trust.. rpm
> does not...

Use something like :
$ gpg --refresh-keys --keyserver pgp.mit.edu
[...]
$ LANG=C rpm -K -v udev-039-6.i386.rpm | sed -n -e "s/.*Header.* \([[:alnum:]]\+\)$/\1/p" | xargs gpg --list-key -v
pub  1024D/4F2A6FD2 2003-10-27 Fedora Project <fedora at redhat.com>
sig 3       4F2A6FD2 2003-10-27   Fedora Project <fedora at redhat.com>
sig 3       DB42A60E 2003-10-27   Red Hat, Inc <security at redhat.com>
sig         8DF56D05 2003-10-28   Fedora Linux (RPMS) <security at fedora.us>
sig 3       D1C76C53 2004-04-26   Féliciano Matias (normal) <feliciano.matias at free.fr>
sig         11E60E88 2004-08-07   [Nom utilisateur introuvable]
sig         003E1D9D 2004-08-07   [Nom utilisateur introuvable]
sig         FAF6AFE3 2004-08-07   [Nom utilisateur introuvable]
sig         2A74F90D 2004-08-07   [Nom utilisateur introuvable]
sig         7BAC7F6C 2004-10-23   [Nom utilisateur introuvable]
sig 2       CF4655CF 2003-12-15   [Nom utilisateur introuvable]
sig 2       BE950472 2004-05-17   [Nom utilisateur introuvable]
sig 3       BB4B29A7 2003-12-03   [Nom utilisateur introuvable]
sig 3       A8F02EF5 2004-10-21   [Nom utilisateur introuvable]
sig 3       D950C647 2004-01-20   [Nom utilisateur introuvable]
sig 3       02FF71B2 2004-02-15   [Nom utilisateur introuvable]
sig 3       ADD4C933 2004-02-21   [Nom utilisateur introuvable]
sig 3       8B415BA9 2004-03-29   [Nom utilisateur introuvable]
sig 3       DC29E554 2004-03-29   [Nom utilisateur introuvable]
sig 3  R    A403ECA0 2004-02-23   [Nom utilisateur introuvable]
sub  1024g/FB939E34 2003-10-27
sig         4F2A6FD2 2003-10-27   Fedora Project <fedora at redhat.com>

Well, I have a little gpg keyring.

This only say :
- I can trust the origin of the key and then the origin of the package.
Nothing else.
Suppose I ran this command under RHEL 2.1. Should I install udev on RHEL
2.1 ?

> that is significant in the context of how rpm package
> sining has been used so far. Because there is a lack of trust metric
> in rpm's implementation, packaging signing..by vendors..has
> historically meant more than prescribed by a general  gpg methodology
> definition of signing.

The vendor : trust own solution for mission-critical, because ..., because...
The client : I trust you because ..., because ...
The vendor : Get the product (package) here.
The client : How can I be sure this package come from you ?
The vendor : The package is signed with own key. Own key is signed on
pgp.mit.edu by other people.

NB : The client trust the vendor as a provider of mission-critical
solution, _before_ using any signature.

>    This isn't a matter of one or two really
> really stupid users doing something really really stupid. This is a
> matter of common peception as to what signing a package means,

What is this "common perception" ?
People trust RHEL for mission-critical server but they don't trust
Fedora for mission-critical.
However Fedora _and_ RHEL have signed rpm.

>  and
> what vendors has historically wanted people to think signing a package
> means... in the context of rpm's implementation of signing and not in
> the context of gnupg's or pgp's general purpose implementation.  And I
> argue that historically... rpm package signing has meant more than
> "built on this host" and that many vendors including Red Hat have
> meant it to mean more than "built on this host."  And i will argue
> that until rpm get support for the trust metric concept using signed
> keys, signing rawhide packages encourages people to "trust" rawhide
> packages.

"trust" me, rawhide is full of bugs. We don't any "metric concept using
signed keys" to know that.

>  Where "trust" is a quantifiable measurement based on key
> signatures.
> 
> -jef
>

More information about the fedora-test-list mailing list