How secure is Preupgrade? Answer: Not.
Todd Denniston
Todd.Denniston at ssa.crane.navy.mil
Thu May 22 13:32:58 UTC 2008
Björn Persson wrote, On 05/21/2008 08:54 PM:
> Beartooth Sciurivore wrote:
>> Dumb question, probably : if you install and run preupgrade
>> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
>> after downloading boot images, is there some user-friendly thing you can
>> do then to make it secure? Something on the order of getting into a
>> directory and commanding, in effect, "check all signatures"?
>
> No. You can check the RPM packages in /var/cache/yum/anaconda-upgrade/packages
> with rpm --checksig (assuming you have known good public keys in the RPM
> database, but that's required for Yum too). The big problem is that you can't
> check the boot images in /boot/upgrade, because nobody has made signatures
> for them. Making signatures is easy, but only the owners of the Fedora
> project's private key can do it.
>
>> Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
>
> Don't hold your breath. Checking the packages is scheduled for 1.1:
>
> https://fedorahosted.org/preupgrade/ticket/7
>
> Checking the boot images is scheduled for 1.2, but that ticket talks about
> checksums, not signatures, so I think it's only intended to protect against
> accidental corruption, not malicious tampering:
>
> https://fedorahosted.org/preupgrade/ticket/8
I was going to suggest checking against the md5/sha1 sums in the jigdo's until
I checked and noted that the jigdo's[1] are not signed (not even with a
detached sig).
Though at least for me the resulting iso's (from the jigdo's I used) passed
the sha1sums that were signed by RH[2] (using an RH/fedora public key I have
had for a few years). So we are still looking at a second|third hand (sig on
an sha1, of 3 of the isos[3], that contained the boot images) confirmation,
but the ones I got at least have a _chance_ of being the right ones.
Note, I am not suggesting that there should not be sigs done on the install
media, I was just seeing how close we could get with today's available meta
data. And I am not as comfortable as I was 5 minutes ago. :|
[1]
http://download.fedora.redhat.com/pub/fedora/linux/releases/9/Fedora/i386/jigdo/
[2] http://fedoraproject.org/en/verify
[3] Fedora-9-i386-DVD, Fedora-9-i386-disc1, Fedora-9-i386-netinst
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
More information about the fedora-list
mailing list