[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Proposal: Discourage rpmbuild --sign
- From: Warren Togami <warren togami com>
- To: fedora-devel-list redhat com, jbj redhat com
- Subject: Proposal: Discourage rpmbuild --sign
- Date: Wed, 31 Dec 2003 02:42:28 -1000
Proposal
========
rpm-4.2.2 in rawhide and all future versions should discourage the use
of rpmbuild --sign. Perhaps this can be done effectively by adding a
large and annoying warning message and 15 second delay. Or disable it
completely. I don't care how, just discouragement should be done.
Why?
By allowing rpmbuild --sign to be not annoying, then people tend to
think that it is the proper way to build and sign packages. This is
totally not the case for one key reason: Safety.
It is possible, however unlikely, that trojans hiding within SRPMS that
you build could steal your GPG keys since they are running as the same
user as the GPG signing keys. They have access to memory used by gnupg,
as well as access to the files in ~/.gnupg. The passphrases can be
stolen, or the files themselves stolen and passphrase cracked. (It is a
lot easier to crack a passphrase when you have both the private and
public key.)
When a user attempts rpmbuild --sign, the warning message should
indicate that it is bad, and to read a webpage at rpm.org for more
information. That webpage should explain in detail why it is a bad
practice, and the following proper safer procedure.
1) rpmbuild as non-root user foo.
2) Copy the packages to non-root user foobar.
3) Use rpm --addsign to sign packages as non-root user foobar.
Protection of GPG keys must be of the highest importance, and I know for
a fact that some of the popular 3rd party repositories are still using
rpmbuild --sign. The risk to the community is just too great, and the
mitigating fix for this is exceedingly simple.
Sane idea?
Warren Togami
warren togami com
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]