fedora-startqa

Toshio toshio at tiki-lounge.com
Fri Apr 2 20:27:12 UTC 2004


On Fri, 2004-04-02 at 12:29, Erik LaBianca wrote:
> > I'll give this a try too.  I think, though, what I want is for the
> > script to automatically make a decision that an SRPM with a valid GPG
> > does not have to have it's md5sum checked.
> > 
> > Slightly more paranoid is to make the following checks:
> > 1] GPG signature of SRPM
> > 2] Is the md5sum of the relevant SRPM in the md5sum file?
> > 3] GPG signature of md5sum file
> > 4] Did the same key sign both files?
> > 
> > If all pass, then pass the test.
> > If 1] Pass and 2] Is fail, pass the test.
> > All other cases fail.
> 
> I don't see the point in this. All it adds is protection against the
> unlikely case that there is a bug in the MD5 checksum code or crypto
> routines included in GPG. These tools are designed and tested to be
> reliable, second guessing them is a waste of time. If you know enough
> about crypto to prove its necessary, I suggest applying that knowledge
> to improving those tools.
> 
The pointlessness is why I started off by saying a valid GPG signature
makes checking the MS5sum unnecessary. (ie: only check step 1 above, all
the rest is unnecessary.)

The more paranoid method I describe checks for inconsistencies between
the SRPM and other documentation on the SRPM (same person signed both
files which seem to both refer to the same SRPM.  A double check.)  In
the real world, if someone could compromise an SRPM on a server, they
could probably also compromise the md5sum file.

This stems from a piece of my original post which you snipped which
states that I was testing fedora-startqa and it verified the SRPM GPG
but then errored out because the MD5sum file wasn't up-to-date (and so
couldn't find the SRPM listed there.)   From your comments here, I think
you're planning on removing the md5sum checking so this problem is going
away.

> You still haven't necessarily verified the gpg signature against a web
> of trust, which is FAR more likely to be the source of a problem. I'm
> not really involved with any of these (webs of trust), but when we
> convert the script over to checking RPM sigs using GPG (imminent) we can
> indicate whether or not the signature that passed was a "trusted" one in
> your review accounts gpg keyring.
> 
Yes, distributing trust is the real tricky problem of gpg.

-Toshio
-- 
_______S________U________B________L________I________M________E_______
  t  o  s  h  i  o  +  t  i  k  i  -  l  o  u  n  g  e  .  c  o  m
                                                          GA->ME 1999
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20040402/0ebc7f4c/attachment.sig>


More information about the fedora-devel-list mailing list