signed tarballs
William Roberts
bill.c.roberts at gmail.com
Thu Apr 13 22:39:13 UTC 2017
On Apr 13, 2017 14:17, "Paul Moore" <pmoore at redhat.com> wrote:
On Thu, Apr 13, 2017 at 5:08 PM, William Roberts
<bill.c.roberts at gmail.com> wrote:
> On Apr 13, 2017 14:05, "Paul Moore" <paul at paul-moore.com> wrote:
>> Unless Steve has exclusive administrative access to people.redhat.com
>> (I think it is safe to say he does not, but correct me if I'm wrong
>> Steve <b>) you can't trust an unsigned checksum regardless of how
>> strong the https cert/crypto as the web admin could still tamper with
>> the data.
>
> Sure possible, but not super plausible. You're putting some trust in the
> administration of that website to begin with.
Come one man, you're smarter than this :)
I only called out the malicious admin case, but there are other cases
where someone with malicious intent could tamper with the checksum.
Some quick examples: hacked webserver, MITM https proxy, etc.
It's all about trust, I could sign my tarballs and plop the private key
somewhere dumb. This is why pki is hard. There's always flaws, I consider
https + hash to be like a medium level of trust, and definitely an
improvement over nothing. Nothing will beat a signed blob, and we'll assume
Steve uses a smart card stored in a vault and only ever used for signing
releases with.
--
paul moore
security @ redhat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20170413/28deb9b5/attachment.htm>
More information about the Linux-audit
mailing list