How secure is Preupgrade? Answer: Not.

Todd Denniston Todd.Denniston at ssa.crane.navy.mil
Thu May 22 13:32:58 UTC 2008 

Björn Persson wrote, On 05/21/2008 08:54 PM:
> Beartooth Sciurivore wrote:
>> 	Dumb question, probably : if you install and run preupgrade
>> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
>> after downloading boot images, is there some user-friendly thing you can
>> do then to make it secure? Something on the order of getting into a
>> directory and commanding, in effect, "check all signatures"?
> 
> No. You can check the RPM packages in /var/cache/yum/anaconda-upgrade/packages 
> with rpm --checksig (assuming you have known good public keys in the RPM 
> database, but that's required for Yum too). The big problem is that you can't 
> check the boot images in /boot/upgrade, because nobody has made signatures 
> for them. Making signatures is easy, but only the owners of the Fedora 
> project's private key can do it.
> 
>> 	Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
> 
> Don't hold your breath. Checking the packages is scheduled for 1.1:
> 
> https://fedorahosted.org/preupgrade/ticket/7
> 
> Checking the boot images is scheduled for 1.2, but that ticket talks about 
> checksums, not signatures, so I think it's only intended to protect against 
> accidental corruption, not malicious tampering:
> 
> https://fedorahosted.org/preupgrade/ticket/8

I was going to suggest checking against the md5/sha1 sums in the jigdo's until 
I checked and noted that the jigdo's[1] are not signed (not even with a 
detached sig).
Though at least for me the resulting iso's (from the jigdo's I used) passed 
the sha1sums that were signed by RH[2] (using an RH/fedora public key I have 
had for a few years). So we are still looking at a second|third hand (sig on 
an sha1, of 3 of the isos[3], that contained the boot images) confirmation, 
but the ones I got at least have a _chance_ of being the right ones.

Note, I am not suggesting that there should not be sigs done on the install 
media, I was just seeing how close we could get with today's available meta 
data.  And I am not as comfortable as I was 5 minutes ago. :|

[1] 
http://download.fedora.redhat.com/pub/fedora/linux/releases/9/Fedora/i386/jigdo/
[2] http://fedoraproject.org/en/verify
[3] Fedora-9-i386-DVD, Fedora-9-i386-disc1, Fedora-9-i386-netinst
-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

More information about the fedora-list mailing list