Time to resurrect multi-key signatures in RPM?

Bojan Smojver bojan at rexursive.com
Tue Aug 26 01:56:52 UTC 2008


In the light of recent RPM signing intrusions, maybe we should resurrect
the RPM feature where multiple signatures are allowed (i.e. --addsign is
different to --resign)? With this we could then require N good
signatures (and no bad ones) on each package before yum would trust the
content.

What I'm getting at with this is distributed package signing, which
would make the job of breaking the trust much harder for attackers, as
they would have to crack private keys of many people around the world in
order to subvert Fedora packages.

For instance, an attacker being in the position of injecting a bad
package and signing it with Fedora key would still get nowhere, as he'd
need to convince other signatories to sign those packages before them
being any threat to Fedora users. Before signing, signatories could
require that original contributor that built the package for a
particular tag sends a signed e-mail (containing that tag and package
checksums - valid only once) to the signatories, therefore requiring yet
another compromised private key in order to perform an attack.
Signatories could also use alternative build systems with no public
access (e.g. their own, Matt's at Dell etc.) to verify package checksums
before signing, in order to avoid trusting a compromised Fedora build
system.

This would require more distributed resources and would slow the update
process down somewhat, but may avoid single point of intrusion as being
sufficient to break the distro.

Comments?

-- 
Bojan




More information about the fedora-devel-list mailing list