rpm --import

Fri Jan 7 17:31:29 UTC 2005

Jay Turner wrote:
> On Fri, Jan 07, 2005 at 12:09:52PM +0100, Ralf Ertzinger wrote:
> 
>>Florin Andrei <florin at andrei.myip.org> wrote:
>>
>>
>>>One thing that i noticed the newbies get confused with is the "rpm --
>>>import (blah)GPG-KEY" trick that has to be done after installing a new
>>>system.
>>
>>I'm sure there is a good reason why the keys are not imported by the installer
>>by default, would someone be so kind to tell me why?
> 
> 
> Security.  It's generally a good idea to validate that the key you're
> adding to the keyring is really the one that you think it is, and if this
> keyring addition were done automatically, then someone could switch out the
> keys, thus a malicious key would be automatically added to the keyring.
> Things start to go downhill from that point.
> 
> - jkt
> 

If someone has enough access to insert their own public key into the 
pre-install image, they also have enough access to modify rpm to do their evil 
bidding, with our without keys. The install image *must be trusted* if 
anything can be trusted at all. Let me say that again, because it's critically 
important. If you can't trust the install image, all other bets about security 
are off. Your box has been r00ted-- reformat, reinstall; there are no other 
options.

Furthermore, for the average user, it's actually *less* secure to have them 
import the key manually, because:

* There's an added opportunity for a malicious user to add their own key in 
place of the "real" one between when the OS is installed and when the key is 
imported. The number of users who actually *do* check key fingerprints is so 
absurdly small that it might as well be zero. It may look more secure on 
paper, but in practice (where security really matters) it's worse.

* Many users simply disable key checking to avoid the hassle of importing the 
keys manually. This isn't a "some user might" sort of hypothesis--I've 
witnessed it myself on multiple occasions. It *does* happen.

If web browsers forced the user to import all the root CA certs right after 
install, web security would be a joke. There would be no real guarantee of 
trust.  You simply can't rely on the end user to set up his local security 
infrastructure correctly. Sure, you could tell grandma to be careful and 
verify all the certificate fingerprints before importing them, but how likely 
is that going to be? The average end user doesn't care about security until it 
all hits the fan. Our job is to keep that from happening, despite their best 
efforts to thwart us.

If security is your reason for requiring this extra step, then quit it. It 
isn't helping. If keys in the keyring upon system install can't be trusted, 
then nothing at all about the system can be trusted.