FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 08-26-2008, 01:56 AM
Bojan Smojver
 
Default Time to resurrect multi-key signatures in RPM?

In the light of recent RPM signing intrusions, maybe we should resurrect
the RPM feature where multiple signatures are allowed (i.e. --addsign is
different to --resign)? With this we could then require N good
signatures (and no bad ones) on each package before yum would trust the
content.

What I'm getting at with this is distributed package signing, which
would make the job of breaking the trust much harder for attackers, as
they would have to crack private keys of many people around the world in
order to subvert Fedora packages.

For instance, an attacker being in the position of injecting a bad
package and signing it with Fedora key would still get nowhere, as he'd
need to convince other signatories to sign those packages before them
being any threat to Fedora users. Before signing, signatories could
require that original contributor that built the package for a
particular tag sends a signed e-mail (containing that tag and package
checksums - valid only once) to the signatories, therefore requiring yet
another compromised private key in order to perform an attack.
Signatories could also use alternative build systems with no public
access (e.g. their own, Matt's at Dell etc.) to verify package checksums
before signing, in order to avoid trusting a compromised Fedora build
system.

This would require more distributed resources and would slow the update
process down somewhat, but may avoid single point of intrusion as being
sufficient to break the distro.

Comments?

--
Bojan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 08-26-2008, 02:22 AM
Andrew Bartlett
 
Default Time to resurrect multi-key signatures in RPM?

On Tue, 2008-08-26 at 11:56 +1000, Bojan Smojver wrote:
> In the light of recent RPM signing intrusions, maybe we should resurrect
> the RPM feature where multiple signatures are allowed (i.e. --addsign is
> different to --resign)? With this we could then require N good
> signatures (and no bad ones) on each package before yum would trust the
> content.

> Signatories could also use alternative build systems with no public
> access (e.g. their own, Matt's at Dell etc.) to verify package checksums
> before signing, in order to avoid trusting a compromised Fedora build
> system.

I think the checksums would be the hardest part. Build times, hosts
and other details are very often embedded into a build.

Andrew Bartlett

--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 10:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org