Re: How secure is Preupgrade?

[Rahul Sundaram <sundaram fedoraproject org>]

Björn Persson wrote:

> I'm not sure what you mean here. I think you mean that Yum checks the packages 
> when it has downloaded them, so that when Preupgrade wants to reboot, all the 
> packages are known to be good. Is that right? (The "when it is installing 
> them" part seems to indicate, to the contrary, that the checking happens 
> during the upgrade, after the reboot.)

gpg check is during the installation/upgrade phase.

> That still leaves the files in /boot/upgrade, which contain executable code 
> but which are not RPM packages. Did they come out of an RPM package whose 
> signature was checked? 

They are.

Were they checked against some detached PGP signatures
> that I haven't found? Were they downloaded with HTTPS from a trusted server? 
> (Some random dude's mirror isn't necessarily trusted.) Or have they not been 
> checked at all? Signatures on all the packages don't help much if the kernel 
> itself is a Trojan horse, you know.

Nobody else can sign it with the Fedora key except trusted members in 
the project. It doesn't merely verify that it is signed by signed with 
Fedora or Red Hat keys.

 And does the
> RPM in the installer system have the necessary keys to check the signatures 
> when Anaconda decides to download additional packages?

Yes but more questions about internal details on how it all works can be 
either posted to fedora-devel list or anaconda-devel list. There might 
be things folks have missed in the process.

Rahul